Okta's services are not intended for anyone under 16, and Okta states it will delete personal data collected from under-16s if discovered, though it does not describe active age verification mechanisms.
This analysis describes what Auth0's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy sets a minimum age of 16 rather than the COPPA threshold of 13 for US users, aligning more closely with GDPR Article 8 standards, but does not describe how under-16 users are actively identified or prevented from accessing services.
Individuals under 16 are not permitted to use Okta's services and their data should not be collected; parents who discover their child has created an account or provided data to Okta should contact privacy@okta.com to request deletion.
How other platforms handle this
Our services are not directed to children under the age of 13. We do not knowingly collect personal information from children under the age of 13 without parental consent. If we become aware that we have collected personal information from a child under the age of 13 without parental consent, we wil...
Our online services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information as quickly as possible.
Our Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without parental consent, we will take steps to delete such information. In some juris...
Monitoring
Auth0 has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Our websites and services are not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers.— Excerpt from Auth0's Auth0 Privacy Policy
REGULATORY LANDSCAPE: In the US, the Children's Online Privacy Protection Act (COPPA) prohibits collection of personal information from children under 13 without verifiable parental consent, enforced by the FTC. Okta's policy sets its minimum age at 16, which is more conservative than COPPA's 13-year threshold and aligns with GDPR Article 8, which sets the digital consent age at 16 (with member state flexibility to lower to 13). The UK GDPR and the Age Appropriate Design Code (Children's Code) impose additional obligations for services likely to be accessed by children in the UK. GOVERNANCE EXPOSURE: Low. Okta's products are primarily B2B enterprise and developer tools, making incidental collection of children's data less likely than consumer-facing services. However, Auth0 is also used by consumer application developers, and the absence of active age verification in those downstream deployments may create exposure for the enterprise customers rather than Okta directly. JURISDICTION FLAGS: US (COPPA, FTC enforcement), EU (GDPR Article 8), UK (Age Appropriate Design Code, ICO enforcement). Auth0 customers building consumer applications should assess whether their deployments serve minors and whether COPPA or GDPR Article 8 obligations apply to them as controllers. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using Auth0 for consumer-facing applications should include representations in their DPA regarding their obligations to prevent collection of data from minors and their compliance with applicable children's privacy laws. Procurement teams should assess whether Okta's standard DPA addresses COPPA or GDPR Article 8 obligations for Auth0 consumer deployments. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether Okta's age-16 threshold creates any operational inconsistency with COPPA for US-based consumer Auth0 deployments targeting the 13-15 age range. Auth0 customers with consumer-facing applications should confirm their own COPPA and GDPR Article 8 compliance independently of Okta's policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy sets a minimum age of 16 rather than the COPPA threshold of 13 for US users, aligning more closely with GDPR Article 8 standards, but does not describe how under-16 users are actively identified or prevented from accessing services.
Individuals under 16 are not permitted to use Okta's services and their data should not be collected; parents who discover their child has created an account or provided data to Okta should contact privacy@okta.com to request deletion.
ConductAtlas has identified this type of provision across 20 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Auth0.