Auth0's privacy policy was updated on July 3, 2026, with 263 sentences modified, 3 added, and 2 removed. The primary substantive changes clarify that Okta customers, not Okta, control whether users receive account access to the identity service, and that Okta operates as a processor on behalf of customers who control personal data. A new example states that obtaining Okta Certifications from the Learning Hub is included in scenarios where Okta acts as a processor. The remaining changes appear to be minor wording adjustments and formatting corrections.
The updated policy clarifies that Okta's customers, not Okta itself, make the decision about whether to provide users with account access to the identity cloud service. This reinforces that Okta operates as a data processor on behalf of customers who control personal data, rather than as an independent controller. The policy adds that obtaining certifications from Okta's Learning Hub is an example of a scenario where Okta acts as a processor. These are clarifications of Okta's operational role, not changes to data handling practices.
The updated policy clarifies Okta's legal role as a data processor acting under customer direction, reinforcing that customers, not Okta, control decisions about user account access and data handling. This is operationally significant for compliance purposes because it establishes clear responsibility allocation: customers determine whether personal data is collected and used, while Okta executes those decisions within contractual bounds. The clarification may reduce ambiguity in customer privacy notices and data processing agreements.
Okta explicitly states it operates as a data processor on behalf of customers, who control personal data and account access decisions.
The revised language adds explicit language stating that customers, not Okta, control whether users receive account access.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
The update clarifies Okta's contractual role as a data processor rather than controller for customer data. This is a clarification of existing operational practice rather than a substantive policy shift. No new obligations appear to be created; the language simply makes explicit that customer agreements govern data use and that Okta acts under customer direction. Compliance teams may note this clarification in vendor management files, but no immediate action is required.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-003451.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorAuth0 updated a single sentence in their privacy policy on June 2, 2026. The change removed quotation marks around 'How …
Auth0 removed a space before the period at the end of a sentence about opting out of third-party cookies and …
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.