What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy explicitly engages GDPR and UK GDPR for EU and UK data subjects, CCPA and CPRA for California residents, and references compliance with applicable global privacy laws. The relevant enforcement authorities include the Irish Data Protection Commission (Okta's EU lead supervisory authority), the UK Information Commissioner's Office, and the California Privacy Protection Agency. Cross-border data transfers from the EU and UK to the United States are addressed throu…

How does Auth0's Auth0 Privacy Policy affect users?

The policy permits Okta to collect personal identifiers, usage patterns, device data, and professional information from website visitors, trial registrants, and customers, and to share this information with advertising networks, analytics providers, and business partners. For individuals whose access to services occurs through an enterprise Auth0 or Okta deployment, Okta's policy may not be the governing instrument; instead, the terms established by the employing organization or application dev…

How often is Auth0's Auth0 Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Auth0 updates this document?

Yes. Monitor subscribers ($19/month) can add Auth0 to their watchlist and receive same-day email alerts whenever this document or any other Auth0 document changes.

CA-D-000692

Auth0 Privacy Policy

Auth0

Last change detected June 2, 2026 Privacy policy

SHA-256: 991083ac1bdfdd16ec1… 3 versions captured 2 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Auth0 ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

0 High severity

5 Medium severity

5 Low severity

Summary

This privacy policy governs Okta's collection and use of personal information from individuals who visit Okta's website, register for trials, attend events, or use Okta's identity and access management services. The policy establishes that Okta collects name, email, company information, device identifiers, and behavioral data, and authorizes sharing this information with advertising partners and third-party service providers. Individuals in California, the EU, and the UK may submit requests to access, delete, or opt out of certain data processing activities by contacting privacy@okta.com.

Technical / Legal Breakdown

This document is Okta's Privacy Policy governing the collection, use, sharing, and retention of personal data by Okta, Inc. and its subsidiaries including Auth0, across Okta's websites, marketing activities, and customer-facing identity platforms; the stated legal bases for processing include contractual necessity, legitimate interests, consent, and compliance with legal obligations. The policy states that Okta collects personal data including identifiers, usage data, device and log data, and professional information, and the terms authorize sharing this data with service providers, business partners, advertising networks, and in connection with corporate transactions such as mergers or acquisitions. Notably, the policy covers both Okta's own website visitor data and its role as a data processor for enterprise customers deploying Okta or Auth0 products, creating a layered data relationship where end users of enterprise deployments are governed by their employer's or developer's privacy terms rather than this policy directly; the practical scope of Okta's data controller role versus processor role may require independent evaluation depending on the specific product context. The policy engages GDPR and UK GDPR for EU and UK residents, CCPA and CPRA for California residents, and other applicable global privacy frameworks; material compliance considerations include the adequacy of disclosed cross-border data transfer mechanisms, the granularity of consent for marketing and analytics cookies, and the clarity of data subject rights procedures for individuals accessing Okta or Auth0 services through enterprise deployments.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

2 important changes detected

3 versions captured · Last updated: June 2026

June 2, 2026

low

What changed Auth0 updated a single sentence in their privacy policy on June 2, 2026. The change removed quotation marks around 'How to Contact Okta' in a sentence describing how individuals in the EEA, UK, or Switzerland can submit data protection complaints. The updated language now reads: 'using the contact information described in the "How to Contact Okta" section below.' This is a formatting correction with no operational change to the complaint process or contact procedures.

Why this matters This change is a formatting correction with no material operational impact on how individuals in the EEA, UK, or Switzerland submit data protection complaints or access Auth0's contact information. The updated policy continues to direct individuals to the same 'How to Contact Okta' section for DPF Principles-related inquiries and complaints. No action is required by users.

View full change record →

May 9, 2026

low

What changed Auth0 removed a space before the period at the end of a sentence about opting out of third-party cookies and device identifiers. The substance of what consumers can do remains unchanged, but the text now ends with a period instead of a space followed by a period. This is a formatting correction with no impact on your actual privacy rights or opt-out options.

Why this matters This change is a minor formatting correction to Auth0's privacy policy and does not affect your rights, data protections, or ability to opt out of third-party cookies and device tracking. The substance of the opt-out guidance remains identical to before the update. No action is needed in response to this change.

View full change record →

Recent Provision Changes Jun 2, 2026

Added (5)

Personal Data Collection Scope Medium

Provides comprehensive transparency about the scope and sources of data collection, including new category of inferred data derived from collected information.

California Resident Privacy Rights (CCPA/CPRA) Low

Separates California-specific CCPA/CPRA rights from general GDPR/CCPA provisions, reflecting distinct regulatory requirements and providing state-specific guidance.

EU and UK Data Subject Rights Low

Separates European data protection rights from CCPA/CPRA and provides specific DPO contact information for exercising rights, enhancing compliance transparency for EU/UK/Swiss users.

Corporate Transaction Data Transfer Low

Explicitly addresses personal data handling during M&A activities and commits to notification, clarifying data subject rights during corporate transitions.

Children's Privacy Low

Establishes clear COPPA-compliant policy regarding children's data collection and removal procedures for accidental collection.

Removed (2)

Data Subject Rights (GDPR and CCPA)

Replaced by separate, jurisdiction-specific provisions for California (CCPA/CPRA) and EU/UK/Swiss rights, allowing for more tailored regulatory compliance disclosures.

Marketing Communications and Opt-Out

Removed standalone provision suggesting marketing communications handling is now covered under broader data usage and subject rights sections in current version.

Modified (5)

Data Controller vs. Processor Dual-Role Distinction

Expanded to explicitly define the data controller vs. processor distinction with concrete examples and clarified that customer privacy policies govern processing in processor role.

Third-Party Data Sharing for Advertising and Analytics

Significantly expanded scope to include comprehensive list of service provider categories beyond just advertising and analytics partners.

Cross-Border Data Transfers

Added specific geographic focus on EEA, UK, and Switzerland; changed framing from conditional safeguards to affirmative reliance on Standard Contractual Clauses and European Commission approval.

Cookie and Tracking Technology Use

Expanded to explicitly include web beacons and pixel tags, clarified purpose as device recognition and personalization, added note about third-party tracking, and added browser settings adjustment option.

Data Retention

Added detailed framework for retention determination including consideration of data sensitivity, harm risk, processing purposes, and legal requirements.

View full change record →

Medium — 5 provisions

Data Controller vs. Processor Dual-Role Distinction Compare →

If you log into an app that uses Okta or Auth0 for authentication, your data is controlled by that app's developer or employer, not Okta directly, and Okta's privacy policy does not govern those interactions.

Added May 10, 2026 Standard Seen across 284 platforms
Personal Data Collection Scope Compare →

Okta collects a wide range of personal information including your name, contact details, employer, device identifiers, and how you interact with Okta's website, and uses this to build profiles about your interests.

Added May 10, 2026 Standard Seen across 284 platforms
Third-Party Data Sharing for Advertising and Analytics Compare →

Okta shares your personal data with advertising and analytics companies that can track your behavior across websites to serve you targeted ads, not just with companies that help Okta operate its services.

Added May 10, 2026 Standard Seen across 252 platforms
Cross-Border Data Transfers Compare →

If you are in the EU, UK, or Switzerland, your personal data may be transferred to and stored in the United States, and Okta states it uses Standard Contractual Clauses as the legal mechanism for doing so.

Added May 10, 2026 Standard Seen across 284 platforms
Cookie and Tracking Technology Use Compare →

Okta uses cookies and tracking pixels on its websites, including those set by third-party advertising companies, to track your behavior and serve targeted ads, but provides a cookie preference center to manage these settings.

Added May 10, 2026 Standard Seen across 284 platforms

Low — 5 provisions

California Resident Privacy Rights (CCPA/CPRA) Compare →

California residents have the right to see, delete, correct, and opt out of sharing of their personal data, and can exercise these rights by contacting Okta at privacy@okta.com.

Added May 10, 2026 Standard Seen across 284 platforms
Data Retention Compare →

Okta keeps your personal data for as long as it considers necessary for its business purposes and legal obligations, without specifying fixed retention periods for most data types.

Added May 8, 2026 Standard Seen across 284 platforms
EU and UK Data Subject Rights Compare →

EU, UK, and Swiss residents have a comprehensive set of data rights under GDPR, including the right to access, correct, delete, and port their data, and can contact Okta's DPO at dpo@okta.com or complain to their national regulator.

Added May 10, 2026 Standard Seen across 284 platforms
Corporate Transaction Data Transfer Compare →

If Okta is acquired or merges with another company, your personal data may be transferred to the acquiring company as a business asset, though Okta states it will notify users of such changes.

Added May 10, 2026 Standard Seen across 252 platforms
Children's Privacy Compare →

Okta's services are not intended for anyone under 16, and Okta states it will delete personal data collected from under-16s if discovered, though it does not describe active age verification mechanisms.

Added May 10, 2026 Standard Seen across 284 platforms