Okta's updated privacy policy (July 3, 2026) contains 263 modified sentences and makes two substantive clarifications. First, the policy now explicitly states that 'not Okta' controls whether customers provide you access to Okta's identity cloud service, clarifying the customer's role as the primary decision-maker. Second, the policy adds an example clarifying that processing related to obtaining Okta Certifications from the Learning Hub occurs in Okta's role as a processor on behalf of the customer. The majority of changes appear to be minor wording adjustments and formatting corrections. These updates clarify Okta's data controller and processor roles without materially expanding data collection, sharing, or retention authority.
The updated policy clarifies that Okta customers (not Okta itself) control whether you are granted access to Okta's identity cloud service. The policy also adds an explicit example stating that when you obtain Okta Certifications from the Learning Hub, Okta processes your data in its role as a processor on behalf of the customer. These clarifications do not change Okta's data handling practices but make the customer's control and Okta's processor role more explicit.
The updated policy clarifies Okta's role as a data processor on behalf of customers and explicitly states that customers control account access decisions. This clarification reinforces accountability relationships and helps users understand who makes decisions about their access to Okta services. The addition of the Learning Hub certification processing example makes explicit what Okta's processor role covers in practice.
Policy now explicitly states that Okta customers, not Okta, control whether you receive access to the identity cloud service.
Policy adds explicit example that Okta processes certification data in its role as a processor on behalf of the customer.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
The July 3, 2026 update to Okta's privacy policy contains primarily minor wording adjustments and clarifications. The substantive changes clarify Okta's role as a data processor on behalf of customers and reinforce that customers control account access decisions. These clarifications align with standard GDPR and CCPA processor/controller frameworks already implied in the prior policy. No new data processing authorities are asserted, and no material obligations are added. Organizations using Okta should note the clarification regarding the Learning Hub certification processing, but no compliance action is likely required.
GDPR (processor/controller distinction), CCPA (service provider role), sector-specific regulations where Okta customers operate
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-003450.
This new provision explicitly discloses Okta's practice of purchasing and enriching personal data from external sources, which is a more aggressive data practice not previously disclosed in the policy.
This new provision introduces CCPA-specific disclosures and distinguishes between 'sale' and 'sharing' under California law while providing a mechanism for opt-out, indicating increased compliance with state privacy legislation.
This new provision explicitly enumerates GDPR and UK/Swiss data protection rights only for EEA/UK/Swiss residents when Okta acts as controller, narrowing the scope of rights previously offered universally.
The removal of this broad, location-independent rights provision in favor of region-specific rights statements (GDPR for EEA/UK/Swiss only) represents a significant narrowing of stated privacy rights for non-European residents.
The removal of explicit children's privacy protections eliminates a clear commitment to not collecting data from minors under 16, which may reduce compliance clarity regarding COPPA and similar regulations.
The removal of this explicit marketing communications opt-out provision eliminates a clear, easy mechanism for users to control marketing communications.
The provision now explicitly limits the scope of the policy to Okta's controller role only and directs processor customers' end users to customer privacy policies rather than Okta's own, representing a significant structural clarification and shift in responsibility.
The revised version removes the detailed list of service categories (web hosting, payment processing, etc.) and shifts focus from sharing 'on our behalf' to sharing with partners whose products/services may interest users, broadening the scope of third-party sharing.
The language changes from passive 'may automatically collect' to active 'we use,' replaces 'embedded scripts' and 'location-identifying technologies' with 'pixel tags,' and adds specific examples like 'referring URLs' and 'links clicked' while clarifying scope to websites and communications.
The revision introduces Okta Ireland Limited as the specific EEA/UK/Switzerland data controller, removes vague language about 'adequate protection,' and explicitly confirms SCCs as the sole legal mechanism for transfers from those regions.
The revision removes explicit mention of 'establish or defend legal claims' and 'fraud prevention purposes,' replacing them with more general 'resolve disputes and enforce our agreements' language, while adding reference to 'applicable laws.'
Cross-platform context
See how other platforms handle similar provisions across the ConductAtlas archive.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorOkta's privacy policy was updated on May 9, 2026 with a minor formatting change to how they reference their contact …
Okta made two minor corrections to its privacy policy on May 6, 2026. The first change removed extra spacing around …
Okta's Privacy Policy was updated on May 5, 2026 to add a trailing space at the end of a sentence …
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the …
TikTok's data collection extends to device sensors, clipboard content, geolocation, and cross-site tracking. Here is what their Privacy Pol…
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.