Cookie and Tracking Technology Use

What it is

Okta uses cookies and tracking pixels on its websites, including those set by third-party advertising companies, to track your behavior and serve targeted ads, but provides a cookie preference center to manage these settings.

Why it matters (compliance & governance perspective)

Third-party tracking technologies set by advertising partners can follow users across websites beyond Okta's own properties, and users should actively manage cookie preferences to limit this tracking rather than relying on default settings.

Consumer impact (what this means for users)

By default, visiting Okta's website may result in advertising and analytics cookies being set that track your behavior across the web; adjusting settings in Okta's cookie preference center can limit this tracking.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Cookie and tracking technology use is governed by the ePrivacy Directive (and its national implementations across EU member states) requiring opt-in consent for non-essential cookies in EU/EEA jurisdictions. GDPR applies to the processing of personal data collected through cookies. CPRA requires businesses to honor opt-out signals including Global Privacy Control for data sharing through tracking technologies. The FTC Act applies to material misrepresentations about tracking practices. Enforcement authorities include EU data protection authorities (with the Irish DPC as lead for Okta), the ICO in the UK, and the California Privacy Protection Agency. GOVERNANCE EXPOSURE: Medium. Cookie consent management platforms (CMPs) have faced increasing regulatory scrutiny for inadequacy, including pre-checked consent boxes, bundled consent, and failure to provide equal prominence to reject options. The French CNIL, Belgian DPA, and other EU regulators have taken enforcement actions against non-compliant cookie banners. Organizations embedding Okta services should also assess whether their own websites use Okta-related tracking technologies. JURISDICTION FLAGS: EU and EEA users face the highest exposure given opt-in consent requirements for non-essential cookies. UK users are protected by PECR alongside UK GDPR. California residents have opt-out rights for sharing through tracking technologies under CPRA. Organizations operating in multiple jurisdictions must ensure their cookie consent approach meets the highest applicable standard. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should assess whether Okta tracking technologies embedded in their own applications or portals require disclosure in their own cookie notices. If Okta scripts run on customer-controlled web properties, the enterprise customer may bear controller responsibility for those tracking activities. COMPLIANCE CONSIDERATIONS: Legal teams should audit Okta's cookie preference center for compliance with current regulatory guidance, including whether non-essential cookies are set prior to consent for EU users and whether the Global Privacy Control signal is honored. Organizations deploying Auth0 should assess whether any Auth0 scripts set cookies on their own domains and whether those require separate disclosure.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Data Controller vs. Processor Dual-Role Distinction medium
• Personal Data Collection Scope medium
• Third-Party Data Sharing for Advertising and Analytics medium
• Cross-Border Data Transfers medium
• California Resident Privacy Rights (CCPA/CPRA) low
• Data Retention low

Related Analysis

• Netflix Updated Terms Authorize Voice Data Collection: April 2026

  Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.

• What Google Actually Knows About You

  Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.