Product Updates

Role-Based Access Control

Role-Based Access Control allows Osano administrators to restrict application access based on a person's role within the organization. 

It's essential to keep your systems tight. Deciding what happens with a user's data is an important decision that should be based on training on laws and regulations, as well as the promises a company has made to customers within the privacy policy. Role-Based Access Control (RBAC) allows Osano administrators to decide who has access to which data within an organization. User access takes into consideration a multitude of factors, including authority, responsibility and job function. You can also limit access to specific product features and control the user's ability to view, create or modify those features. The aim is to keep data secure and allow users to focus on relevant tasks while restricting access to functions outside their access level.

An example might be: A company has many people all in charge of specific features within it. There's a customer support team that deals specifically with data subject access requests. But you don't want that group to have access to changing aspects of your website's consent manager, vendor litigation or product analysis. Role-Based Access Control allows you to assign roles to individual users that limit that access.

Why does this matter?

Role-based access control gives customers the ability to manage which areas of a particular system their users can access at a granular level to maintain compliance with various security standards. The solution is in line with the security principle "Give the fewest amount of people the least amount of access possible to do their jobs." 

The National Institute for Standards and Technology proposed RBAC in 1992. Since then, it's become the standard for many large organizations, as well as government organizations. While the EU General Data Protection Regulation doesn't specifically mandate RBAC, it does call for organizations to "implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk."

Implementing RBAC should include a data inventory, defining roles (who should have access to what), an information-campaign for employees on the policy and regular audits to ensure it's working.

Product(s) Affected

Core Platform



Data Subject Access Request Voice Forms

DSAR Voice Forms allow end-users to dial a phone number to submit data subject access requests rather than filling out the web form itself.

Introducing Data-Subject Access Request (DSAR) Voice Forms.  Given the ever-increasing need to handle data-subject access requests, DSAR Voice Forms allow end-users to dial a phone number to submit data subject access requests rather than filling out the web form itself. Data subject access requests are a consumer tool provided under European and California privacy laws. Companies covered by the EU General Data Protection Regulation or the California Consumer Privacy Act have to provide users with the information you've collected about them and how you're using it. Generally, those requests come in written form.

Specifically, the GDPR says data subjects should be able to exercise their right to data collected about them and should be able to "exercise that right easily and at reasonable intervals." They should have the right to "know and obtain communication" from a company about why their data is being processed, who has access to it, the logic on which the data is being processed and "at least when based on profiling, the consequences of such processing." 

Under the GDPR, companies can't charge a fee for a DSAR, and they have to be filled within 30 days of receipt.

But the California Consumer Privacy Act goes further and requires businesses that have an offline component to maintain a phone line to accept data subject access request submissions. Under the CCPA, DSARS must be fulfilled within 45 days of receipt, compared to the GDPR's one-month timeframe.

Osano's Voice Forms allow for a voice-to-text translation, automating the DSAR submission process. Transcripts and recordings will be accessible alongside submissions, so our customers can ensure the accuracy of requests. 

Why does this matter?

Call centers and call agents are a significant expense. They require companies to hire and train agents and have enough agents on call at all hours to handle incoming requests. That's why companies often outsource call center agents. The DSAR Voice Form means Osano customers can cut costs by eliminating the need for a live, trained agent.

DSAR Voice Form helps you:

  • Comply with GDPR rules on data subject access requests
  • Comply with California privacy law rules on data subject access requests

Product(s) Affected

Subject Rights Management



First-Layer Categories

Greater customization in how a user interacts with the consent banner can be accomplished with the implementation of first-layer category control.


Cookie rules in the U.K. and the EU require sites with European visitors to display the purpose and categories of the cookies they'll drop if users accept. There are two "layers" involved when it comes to most cookie compliance laws.

  1. The first layer is the immediate interaction with the user, the very familiar box that asks them to "accept" or "decline" cookies.
  2. The second layer is user-initiated, in the event they want to know more about how their data will be collected and used. 

By default, Osano uses a popup containing all opt-in categories for users accessing sites from the EU and other select locales. By toggling First-Layer Categories to "off," the popup becomes a "Manage Preferences" display.  A second-layer "drawer" allows users to view and consent to the site's cookie categories (i.e., cookies used for marketing, personalization, analytics). 

Why does this matter?

For Osano customers in the EU and the European Economic Area, the First-Layer categories feature offers more flexibility over how the Osano consent banner appears to customers. Sites may experience higher opt-in consent rates with First-Layer Categories off.

Product(s) Affected

Consent Management



1 2 3
The managed data privacy platform

Get started with Osano today

Explore Osano

What's New at Osano

Chinese banner update

China passed a privacy law recently. The Personal Information Protection Law comes into effect in Nov.1 , 2021. It requires changes for obtaining consent from users for tracking, analytics, personalization and marketing. 

learn more

AI-powered Data Discovery, "No Fines, No Penalties" Pledge, $11M in funding

Today Osano is launching our AI-powered Data Discovery feature and introducing an industry-first "No Fines, No Penalties" Pledge. In addition, we're announcing $11 million in new funding. 

learn more

Global Privacy Control

Osano's Consent Management platform now understands and communicates Global Privacy Control signals.

Learn More

French banner consent configuration

In October 2020, the French Data Protection Authority changed its rules on cookies. This feature provides a consent-banner configuration that applies to French users and complies with the DPA's rules. 

Learn More

Nissenbaum Release

The Nissenbaum release includes "Text Customization for Consent Manager." Customers can now customize the language within your cookie pop-up. 

Release also includes "Upload Documents" for vendor monitoring.