California Resident Privacy Rights (CCPA/CPRA)

What it is

California residents have the right to see, delete, correct, and opt out of sharing of their personal data, and can exercise these rights by contacting Okta at privacy@okta.com.

Why it matters (compliance & governance perspective)

CPRA significantly expanded California privacy rights including the right to correct inaccurate data and limit use of sensitive personal information, and Okta's acknowledgment of these rights means California residents have concrete, enforceable options beyond what users in other US states may have.

Consumer impact (what this means for users)

California residents can request access to, deletion of, or correction of their personal data held by Okta, and can opt out of Okta sharing their data for behavioral advertising, with Okta prohibited from discriminating against users who exercise these rights.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision implicates the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA), enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General. Key CPRA rights include access, deletion, correction, opt-out of sale and sharing, and sensitive personal information limitations. The CPRA also requires that businesses honor Global Privacy Control opt-out signals. The FTC Act may also apply to material misrepresentations about privacy rights. GOVERNANCE EXPOSURE: Medium. The accuracy and operational completeness of Okta's rights fulfillment process is a key compliance requirement. Response timelines under CPRA require acknowledgment within 10 business days and substantive response within 45 days (extendable by 45 days). Verification mechanisms for consumer requests must be proportionate and not unduly burdensome. Organizations deploying Okta or Auth0 to authenticate California-resident end users should assess whether those users' rights flow through Okta's own policy or through the enterprise customer's obligations. JURISDICTION FLAGS: Applies to California residents. Organizations with California employees or customers who use Okta or Auth0 should assess whether their own CPRA obligations are affected by Okta's role as a service provider. Other US states with comprehensive privacy laws (Virginia, Colorado, Texas, and others) may create analogous obligations not fully addressed in this section. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should confirm that Okta's role as a service provider under CPRA is formalized in their contract, limiting Okta's ability to use California resident data for purposes beyond the contracted service. Service provider agreements should restrict Okta from using California resident personal data for its own advertising or analytics purposes without appropriate disclosure. COMPLIANCE CONSIDERATIONS: Legal teams should test Okta's privacy request submission process to confirm response timelines and verification steps meet CPRA requirements. Confirm whether Okta honors Global Privacy Control signals on its website properties. Assess whether sensitive personal information categories collected through Okta or Auth0 deployments are covered by the limitation rights described.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Data Controller vs. Processor Dual-Role Distinction medium
• Personal Data Collection Scope medium
• Third-Party Data Sharing for Advertising and Analytics medium
• Cross-Border Data Transfers medium
• Cookie and Tracking Technology Use medium
• Data Retention low