Complying with Data Privacy Laws May not be Sexy, but Austin-based Osano Says it’s a Billion Dollar Business

Arlo Gilbert, CEO and Co-Founder of Osano and Scott Hertel, CTO and Co-Founder of Osano, photo courtesy of Osano

In the modern era, every company is a global company, said Arlo Gilbert, CEO, and Co-Founder of Osano.

Today, more than 65 laws exist worldwide governing how companies handle customers’ data online and privacy laws, Gilbert said.

Most notably, the General Data Protection Regulation, known as GDPR, went into effect in May of 2018. It is a law that governs privacy for all citizens of the European Union and how their data is handled by companies.

And a similar law, the California Consumer Privacy Act will take effect Jan. 1, 2020. It is designed to give consumers more control of their data and personal information online and it will have a huge impact on how to handle customer privacy online, Gilbert said.

“The California law is like GDPR – the biggest common elements – you have to ask permission of a visitor to your website – before you share data with other people,” Gilbert said. “And you have to record that

permission somewhere.”

Other rights include the right to delete and modify data and opt-out of data selling or sharing, Gilbert said. The GDPR law also has the right to be forgotten to exclude information about an individual, he said.

Osano, founded in 2018, is focused on helping companies, particularly mid-sized enterprise companies, comply with privacy laws. It has created an online data privacy platform that companies subscribe to on a monthly basis and keeps them in compliance with GDPR and other privacy laws like the California law. It offers a free platform for solo entrepreneurs and prices ranging from $99 up to $199 monthly for larger companies. It launched publicly this month and it already has signed up more than 300 companies.

Osano’s name is intentional, Gilbert said. In Hindi, Osano means make it easy and that’s what Osano is doing for its customers when it comes to keeping them in good standing with privacy laws, he said. Being compliant with privacy laws also helps reduce data breaches and potentially exposing customer information, he said.

Companies with local websites must comply with global laws because they have people visiting from outside their region, Gilbert said.

“That means you have to comply with the laws in Brazil, and China and France and Germany and California,” Gilbert said during a talk on the future of Big Data & Online Privacy put on by America’s Future Foundation. “And it’s really, really hard. And big companies have big teams that they use to go and solve all these problems with lots of lawyers and lots of tech people and they hire lots of privacy experts.”

But companies with under about 5,000 employees the odds are high that they are just kind of “winging it,” Gilbert said. “And that’s not good.”

Gilbert is a serial entrepreneur. He and his co-founder, Scott Hertel, previously built Meta SaaS and sold it in 2018 to Flexera. Gilbert started his first bootstrapped company in 1997 while a student at the University of Texas. He grew that to $50 million in revenue before selling it.

Osano has built a set of tools that makes it easy to comply with all these data laws for companies with just a few employees up to 5,000 employees, he said.

“A lot of really great companies have chosen not to do anything with data privacy,” Gilbert said.

But the California law is going to make them act, he said.

“It’s effectively a national law,” he said.

Right now, only eight percent of companies online are compliant with the requirements of the California law, Gilbert said.

“We’re trying to help them get ready fast,” he said.

Osano has raised $3 million from LiveOak Venture Partners in 2018 with participation from Next Coast Ventures, Capital Factory, Social Starts, Barracuda Networks and 345Partners Co-Founder Michael Perone, data.world and Bazaarvoice Founder Brett Hurt, and Indeed Founder Rony Kahan. Osano has seven full-time employees and works with a team of contract lawyers nationwide. Those lawyers read company privacy policies and rate them.

Osano has built a comprehensive product for privacy that handles consent, vendor monitoring, and advisory services, Gilbert said.

It makes a consent form pop up that asks website visitors if they agree to the company’s policy of using cookies to track website visitors. More than 750,000 companies use Osano’s website popup and it serves up 2.5 billion pop-ups a month, Gilbert said.

The consent manager keeps a marketing team from getting a company in trouble, Gilbert said. It requires a person visiting the webpage to give consent to use their data, he said.

“The consent component is table stakes these days – if you’re not doing it, your company is going to get sued,” he said.

Osano also operates an Irish subsidiary, Osano International Compliance Services, based in Dublin, Ireland. Companies with more than 200 employees are supposed to have a presence in the European Union to comply with GDPR, Gilbert said. Osano handles that requirement for its customers.

Osano also offers up to date privacy monitoring. It has created its own rating scorecard on more than 7,000 vendors and how their privacy policies rate.

“It’s really hard to figure out if one company is doing a good job of privacy vs. another one,” Gilbert said. So Osano created a standardized form to rate them.

Companies have convoluted privacy statements, Gilbert said. Osano contracts with 24 attorneys who read those statements and then answer 163 questions on a standard form which ranks how the company’s privacy policies rate. It also monitors the sites for changes in policies and updates them. The rating scale also lists how many lawsuits the company has pending against it in court. Facebook has more than 2,200 lawsuits, Gilbert said. The average company has one, he said.

“You can really assess the risk and determine whether this is a company you should be doing business with,” he said.

“One of the important reasons for vendor monitoring – it’s a good idea to understand your supply chain,” Gilbert said. “If you’re Whole Foods you can tell me everyone in your supply chain for that can of tuna. It’s also required under the California law that you cascade down to your vendors and all their privacy policies. “

California’s fine is $7,500 fine per record of violation for 1000 records that is a $7.5 million fine.

Lastly, Osano provides advisory services that help companies build internal privacy policy, Gilbert said.

“Compliance is kind of boring,” Gilbert said. “This is not a sexy industry. We’re not making a new Rocketship.”

But data protection is a $125 billion industry, Gilbert said. And Berkeley Economic Advising and Research predict companies will spend $55 billion over the next two years just to get complaint with California’s law.

“We just thought this product needed to exist,” Gilbert said. “This is the second time we’ve been really lucky about timing. We are in the right place at the right time.”

Osano is a B-Corp, which is a mission-driven for-profit venture with goals to be Austin’s next company valued at $1 billion, Gilbert said.

“Aside from that noble altruistic goal, we want to turn this company into Austin’s next Unicorn,” Gilbert said. “We’re going to be part of that club. Our goal is to build a really big Austin success story.”