Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Osano is a US data privacy platform headquartered in Austin that includes a consent management platform (CMP), a vendor risk module, a data subject request portal and a free open source banner library widely used by SaaS and e commerce sites.
Osano is a data privacy platform operated by Osano Inc., a Delaware company headquartered in Austin, Texas. The product suite combines a consent management platform, a vendor risk module, a data subject request portal and the popular open source Cookie Consent banner library acquired from Silktide. Osano is particularly common on SaaS and e commerce sites because of its free tier and its native integrations with Salesforce and HubSpot.
The Osano script scans the website on a recurring schedule, classifies every cookie and tag, renders a banner that asks the visitor to opt in per category and stores the granular decision. Other scripts read the choice through the Osano global API or through the standard IAB TCF v2.2 signal that Osano can expose. The Business plan adds a vendor risk register that tracks the sub processors used by the controller.
Osano sets two strictly necessary first party cookies: osano_consentmanager (the consent decision, up to 12 months) and osano_consentmanager_uuid (a hashed visitor identifier). It also stores a server side consent record that contains the truncated IP for geolocation, the timestamp, the consent string and the browser language. No advertising identifier is processed by Osano itself.
Because Osano is the layer that gates every other tracker, its own cookies fall under the strictly necessary exemption of Article 5(3) ePrivacy. Consent is therefore not required for the banner itself, but the controller still must demonstrate consent for the downstream services. Osano provides exportable consent logs that satisfy Article 7(1) GDPR and the EDPB Guidelines 05/2020.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Osano hosts consent records primarily on AWS US East (Virginia) with replication to AWS EU West (Dublin). The transfer relies on the EU US Data Privacy Framework decision of 10 July 2023 (Osano Inc. is certified) and, as a fallback, on Standard Contractual Clauses with a Transfer Impact Assessment included in the Osano DPA. EU controllers may prefer a fully EEA based CMP if they want to avoid US transfers entirely.
Sign the Osano DPA, place the Osano script before any non essential tag, enable default deny on all categories, activate Google Consent Mode v2 from the dashboard, embed the automated cookie declaration and review the weekly scan report. Keep the consent log accessible for at least 12 months to meet Article 7(1) GDPR. Document Osano Inc. in the privacy notice as a recipient and the US transfer in the record of processing.
Websites using Osano must obtain user consent under GDPR regulations.
DPIA considerations
A standalone DPIA is rarely required because Osano processes only the minimal data needed to record consent (truncated IP, hashed identifier, timestamp, browser metadata). The DPIA should however document the US transfer leg under the EU US Data Privacy Framework decision of 10 July 2023 (Osano is certified), the choice between the free and Business plans, and the vendor and DSAR modules that may expand the processing footprint.
Sample consent text
We use Osano to record your cookie preferences. The Osano cookies are strictly necessary and store your decision for up to 12 months. By clicking Accept you consent to the non essential cookies described below; you can withdraw or change your consent at any time via the Cookie settings link served by Osano.
Third-party domains contacted
osano.comcmp.osano.comcmp.osano.comosano.comcookieconsent.osano.comconsent.api.osano.comapp.osano.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| osano_consentmanager | first_party | 12 months | Stores the visitor consent choices, the consent identifier and the version of the cookie policy. |
| osano_consentmanager | http_cookie | 12 months | Strictly necessary first party cookie that stores the visitor granular consent decisions across categories so the banner does not reappear while the consent is valid. |
| osano_consentmanager | first_party | 13 months | Stores the visitor consent decision per cookie category as a JSON string. |
| osano_consentmanager_uuid | first_party | 13 months | Pseudonymous identifier mapping the visitor decision to the centralised consent log on the Osano dashboard. |
| osano_consentmanager_uuid | first_party | 12 months | Anonymous identifier used to retrieve the visitor consent record on subsequent visits. |
| osano_consentmanager_uuid | http_cookie | 12 months | Strictly necessary first party cookie that stores a hashed visitor identifier used to retrieve the corresponding server side consent record for audit purposes. |
| osano_consentmanager_expdate | http_cookie | 12 months | Strictly necessary first party cookie that stores the expiry date of the consent decision so the banner is re displayed when the consent window closes. |
Osano is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Osano sets the osano_consentmanager first party cookie plus a few support cookies that store the categories accepted and a consent identifier. Server side, a truncated IP and timestamp are stored as proof of consent.
Osano sets two strictly necessary first party cookies: osano_consentmanager, which stores the granular consent decisions (default 12 months), and osano_consentmanager_uuid, which contains a hashed visitor identifier used to retrieve the corresponding server side consent record. No advertising or analytics cookies are set by Osano itself.
No. Osano qualifies as strictly necessary under Article 5(3) ePrivacy. The third party trackers it manages still require valid consent.
No. The Osano cookies fall under the strictly necessary exemption of Article 5(3) ePrivacy because they store the visitor consent decision that has been explicitly requested. Consent is required only for the third party services governed by Osano, not for the consent layer itself.
Legitimate interest under Article 6(1)(f) GDPR and the proof of consent obligation under Article 7(1). The US transfer is covered by SCCs and the Data Privacy Framework.
Osano is deployed under legitimate interest pursuant to Article 6(1)(f) GDPR for the controller, combined with the legal obligation under Article 5(3) ePrivacy and Article 7(1) GDPR to obtain and document consent for any non essential trackers. The platform itself processes only the limited data needed to evidence that consent.
Yes. Osano processes consent metadata on US infrastructure. The transfer is covered by SCCs and the EU US Data Privacy Framework, and a transfer impact assessment is recommended.
Yes. Osano Inc. is a Delaware company that processes consent records on AWS US East (Virginia) with replication to AWS EU West (Dublin). The EU US Data Privacy Framework decision of 10 July 2023 covers the transfer because Osano is certified, supplemented by Standard Contractual Clauses in the Osano DPA.
A DPIA is recommended because of the systematic US transfer. Document the data flows, the SCC or DPF safeguards and the residual risk for European visitors.
A standalone DPIA is rarely required because Osano processes only the minimum data needed to record consent. If the deployment includes the Vendor Risk module or the DSAR module, document those broader processing activities in the DPIA and reference the US transfer leg in any case.
Insert the loader in the head, classify each script, block non essential tags before consent, mirror accept and reject buttons, sign the SCC addendum, and expose a preference link in the footer.
Sign the Osano DPA, place the Osano script before any non essential tag, enable default deny on all categories, activate Google Consent Mode v2 from the dashboard, embed the automated cookie declaration on the privacy policy page and review the weekly scan report. Configure the GeoLocation feature so the banner adapts to EU and California audiences.
Comparable consent management platforms include Cookiebot, OneTrust, Iubenda, CookieFirst, CookieHub, Didomi, Sourcepoint, Usercentrics, Axeptio and Klaro. CookieHub and CookieFirst are EU based and closer to Osano on price; Didomi and Sourcepoint are better suited to large publishers with TCF v2.2 needs.
Cookiebot, CookieFirst, CookieHub, Axeptio, Didomi, Complianz, OneTrust, Sourcepoint, Klaro. EU based vendors avoid the Schrems II overhead.
Use the Osano scanner to refresh the inventory, document purpose and duration for each cookie, and version the policy when scripts change.
Enable the automated cookie declaration block in the Osano dashboard and embed it on your privacy policy page. Osano rescans the site automatically and republishes the updated declaration. Subscribe to the Osano release notes and review the weekly scan summary before each release to catch newly added vendors or sub processors.