All Vendors
cmp

Osano

A consent management platform that itself bypasses consent — Osano triggers 8 BTI behavioral codes including consent bypass (C09) and identity resolution (C14), making it the fox guarding the henhouse.

206 IOCs10 detections60% pre-consent8 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Osano discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

10 detections across 8 sites60% pre-consent activity
CRITICAL

Pre-Consent Activity

Osano was observed loading and executing before user consent was obtained on 60% of sites where it was detected.

GDPRePrivacy
HIGH

Pending Analysis

8 BTI behavioral codes detected across 10 detections on 8 sites. Full claims extraction required for gap analysis.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps
1 HIGH

Pending Analysis

HIGH
They Claim

Claims analysis pending

Observed Behavior

8 BTI behavioral codes detected across 10 detections on 8 sites. Full claims extraction required for gap analysis.

Customer Impact

What This Means For You

If Osano is deployed on your site, your entire consent architecture may be compromised. The 60% pre-consent firing rate means that for the majority of your visitors, tracking begins before they have a chance to express preferences. Every vendor downstream of Osano inherits this tainted consent signal — if your CMP itself violates consent, no vendor it manages can claim valid consent either. Your Data Protection Impact Assessment likely does not account for your CMP operating as a data controller with identity resolution capabilities. Under GDPR, this gap could expose you to enforcement action not just for Osano's behavior, but for every vendor in your consent-managed stack.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Osano

  • Audit Osano's actual runtime behavior against its documented consent flow using independent HAR capture
  • Verify whether Osano's pre-consent firing is a configuration issue or inherent platform behavior
  • Review your DPIA to confirm Osano is properly classified — it may qualify as a data controller, not just a processor
  • Test consent state propagation: confirm downstream vendors actually respect Osano's consent signals

If You're Evaluating Osano

  • Request Osano's own compliance audit results and compare against BLACKOUT runtime findings
  • Evaluate alternative CMPs that do not exhibit consent bypass behavior in runtime analysis
  • Assess whether Osano's identity resolution capabilities are disclosed in their DPA
  • Consider the liability implications of a CMP that itself requires consent governance

Negotiation Leverage

  • Your consent management platform triggers consent bypass (C09) at a 60% pre-consent rate — this is the single most damaging finding possible for a CMP vendor
  • 8 BTI behavioral codes detected including identity resolution (C14) and cross-domain sync (C08) — capabilities undisclosed in standard CMP contracts
  • If Osano's consent bypass invalidates downstream consent chains, your organization bears the regulatory exposure for every vendor in the stack
  • Request full disclosure of all data collection, identity resolution, and cross-domain capabilities — compare against their processor agreement
  • Demand runtime audit results showing Osano's own pre-consent behavior on reference implementations
Runtime Detections

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Osano deploys evasion infrastructure that may behave differently during audits or compliance checks, undermining the reliability of your consent verification processes.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: A consent management platform collecting behavioral biometric data (keystroke/mouse patterns) raises immediate questions about purpose limitation under GDPR Article 5(1)(b).

BTI-C07Session Recording

Full session replay

Impact: Session replay capability on a CMP means Osano can observe exactly how users interact with consent dialogs — data that should never leave the consent layer.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Identity stitching across domains by your CMP means Osano can build cross-site profiles of your visitors through the very tool meant to protect their privacy.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: The most critical finding: your consent management platform fires 60% of the time before consent is obtained. This invalidates the entire consent chain for every downstream vendor Osano is supposed to govern.

BTI-C10Fingerprinting

Device identification

Impact: Device fingerprinting by a CMP creates a persistent identifier that survives cookie deletion — directly contradicting the user's expressed privacy preferences.

BTI-C13Persistence Mechanisms

Long-lived identifiers

BTI-C14Identity Resolution

PII deanonymization

Impact: PII deanonymization by a consent platform means Osano can identify individual visitors, creating a data controller relationship most organizations have not accounted for in their privacy impact assessments.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Osano operates as a container/loader, which is expected for a CMP. However, combined with its other behavioral codes, this container has far more capability than a neutral consent layer should possess.

IOC Manifest

IOC Manifest

200 INDICATORS

Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.osano.com/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js*
Tracking script
TRACK
*www.osano.com/hubfs/hub_generated/module_assets/1/*/*/module_Announcement_Bar.js*
Tracking script
TRACK
*www.osano.com/hubfs/hub_generated/template_assets/1/*/*/template_main.js*
Tracking script
TRACK
*www.osano.com/hubfs/hub_generated/template_assets/1/*/*/template_jquery.js*
Tracking script
TRACK
*www.osano.com/hubfs/hub_generated/module_assets/1/*/*/module_Header.js*
Tracking script
TRACK
*www.osano.com/hubfs/hub_generated/module_assets/1/*/*/module_Stacked_Hero_Tab_Interactive.js*
Tracking script
TRACK
*cmp.osano.com/2sUBzx7wRdAfu6J2kkS/*-886f-4a9b-a90f-*/osano.js*
Tracking script
TRACK
*www.osano.com/hubfs/hub_generated/module_assets/1/*/*/module_Global_Trust_Bar_Light.js*
Tracking script
TRACK
*www.osano.com/hubfs/hub_generated/module_assets/1/*/*/module_Parallax_Switchback.js*
Tracking script
TRACK
*www.osano.com/hs/hsstatic/content-cwv-embed/static-1.*/embed.js*
Tracking script
TRACK
*www.osano.com/hubfs/hub_generated/module_assets/1/*/*/module_Icon_Card_Deck.js*
Tracking script
TRACK
*www.osano.com/hubfs/hub_generated/template_assets/1/*/*/template_swipper.js*
Tracking script
TRACK
*www.osano.com/hubfs/hub_generated/module_assets/1/*/*/module_Testimonials_Swiper.js*
Tracking script
TRACK
*www.osano.com/hs/hsstatic/HubspotToolsMenu/static-1.432/js/index.js*
Tracking script
TRACK
*compass.osano.com/static/array.js*
Tracking script
TRACK
*www.osano.com/hs/scriptloader/*.js*
Tracking script
TRACK
*www.osano.com/_hcms/forms/v2.js*
Tracking script
TRACK
*compass.osano.com/array/phc_br5wMjnW6hyOKicG2YNJwMT9JnZVyevmUh5n8YbuoGC/config.js*
Tracking script
TRACK
*cmp.osano.com/2sUBzx7wRdAfu6J2kkS/*-886f-4a9b-a90f-*/osano-ui.js*
Tracking script
TRACK
*cmp.osano.com/2sUBzx7wRdAfu6J2kkS/*-886f-4a9b-a90f-*/en.json*
Tracking script
TRACK
*compass.osano.com/static/dead-clicks-autocapture.js*
Tracking script
TRACK
*compass.osano.com/static/exception-autocapture.js*
Tracking script
TRACK
*compass.osano.com/static/posthog-recorder.js*
Tracking script
TRACK
*compass.osano.com/static/surveys.js*
Tracking script
TRACK
cmp.osano.com
Tracking script
TRACK
osano.com
Tracking script
TRACK
www.osano.com/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js
Auto-extracted from scan
TRACK
www.osano.com/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js
Auto-extracted from scan
TRACK
www.osano.com/hubfs/hub_generated/module_assets/1/112224055108/1764113889428/module_Announcement_Bar.min.js
Auto-extracted from scan
TRACK
www.osano.com/hubfs/hub_generated/template_assets/1/107540964238/1769026641835/template_main.min.js
Auto-extracted from scan
TRACK
www.osano.com/hubfs/hub_generated/template_assets/1/110533867323/1769026641209/template_jquery.min.js
Auto-extracted from scan
TRACK
www.osano.com/hubfs/hub_generated/module_assets/1/111415423003/1755606182639/module_Header.min.js
Auto-extracted from scan
TRACK
www.osano.com/hubfs/hub_generated/module_assets/1/190580748344/1751480838831/module_Stacked_Hero_Tab_Interactive.min.js
Auto-extracted from scan
TRACK
www.osano.com/hubfs/hub_generated/module_assets/1/114740275971/1743597026405/module_Global_Trust_Bar_Light.min.js
Auto-extracted from scan
TRACK
www.osano.com/hubfs/hub_generated/module_assets/1/197973997147/1762243483521/module_Parallax_Switchback.min.js
Auto-extracted from scan
TRACK
www.osano.com/hubfs/hub_generated/template_assets/1/111031010489/1769026654334/template_swipper.min.js
Auto-extracted from scan
TRACK
www.osano.com/hubfs/hub_generated/module_assets/1/200370862893/1764003962915/module_Icon_Card_Deck.min.js
Auto-extracted from scan
TRACK
www.osano.com/hubfs/hub_generated/module_assets/1/107932176250/1743596952127/module_Testimonials_Swiper.min.js
Auto-extracted from scan
TRACK
www.osano.com/_hcms/forms/v2.js
Auto-extracted from scan
TRACK
www.osano.com/hs/scriptloader/4785246.js
Auto-extracted from scan
TRACK
www.osano.com/hs/hsstatic/HubspotToolsMenu/static-1.432/js/index.js
Auto-extracted from scan
TRACK
compass.osano.com/static/array.js
Auto-extracted from scan
TRACK
cmp.osano.com/2sUBzx7wRdAfu6J2kkS/8e547744-886f-4a9b-a90f-7e96a47aa604/osano.js
Auto-extracted from scan
TRACK
compass.osano.com/array/phc_br5wMjnW6hyOKicG2YNJwMT9JnZVyevmUh5n8YbuoGC/config.js
Auto-extracted from scan
TRACK
cmp.osano.com/2sUBzx7wRdAfu6J2kkS/8e547744-886f-4a9b-a90f-7e96a47aa604/osano-ui.js
Auto-extracted from scan
TRACK
compass.osano.com/static/posthog-recorder.js
Auto-extracted from scan
TRACK
compass.osano.com/static/dead-clicks-autocapture.js
Auto-extracted from scan
TRACK
compass.osano.com/static/surveys.js
Auto-extracted from scan
TRACK
compass.osano.com/static/web-vitals.js
Auto-extracted from scan
TRACK
compass.osano.com/static/exception-autocapture.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Osano operates in the consent management space alongside OneTrust, Cookiebot, and TrustArc. As a CMP, it sits at a privileged position in the tag execution chain — it controls which other vendors load and when. This gatekeeper role makes its own behavioral violations especially consequential, as every downstream vendor's consent status depends on Osano functioning as advertised. Osano integrates with major tag managers, analytics platforms, and marketing stacks, meaning its consent bypass behavior can cascade across the entire vendor ecosystem on any site where it is deployed.
Loads (3)
LinkedinHubspotDoubleclick
Loaded By (1)
Fullstory
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

206 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details