Personal Data Collection Scope

What it is

Okta collects a wide range of personal information including your name, contact details, employer, device identifiers, and how you interact with Okta's website, and uses this to build profiles about your interests.

Why it matters (compliance & governance perspective)

The breadth of data collected, spanning identifiers, behavioral signals, and inferred profiles, means Okta is building a fairly detailed picture of users who visit its websites or use its marketing properties, which is used for targeted advertising and product development.

Consumer impact (what this means for users)

Your name, email, employer, device ID, browsing behavior on Okta sites, and inferred interest profiles may all be collected and used for marketing and analytics purposes, including by third-party advertising partners embedded in Okta's web properties.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: The scope of data collection engages GDPR's data minimization principle (Article 5(1)(c)), purpose limitation, and the requirement for a valid legal basis for each processing activity. CCPA and CPRA require disclosure of each category of personal information collected and the business purpose. The FTC Act's prohibition on unfair or deceptive practices applies to material disclosures about data collection scope. GOVERNANCE EXPOSURE: Medium. The collection of inferred profiles and behavioral data for marketing purposes is common in B2B SaaS but requires careful legal basis documentation under GDPR. If legitimate interests is asserted as the basis for marketing-related profiling, a documented Legitimate Interests Assessment is required under GDPR Article 6(1)(f). Absence of such documentation creates audit exposure. JURISDICTION FLAGS: EU and UK users are protected by data minimization and purpose limitation requirements that may constrain behavioral profiling without explicit consent or a documented legitimate interest. California residents have CPRA rights to opt out of sharing personal data for cross-context behavioral advertising. Illinois and other states with comprehensive privacy laws may impose additional notice requirements. CONTRACT AND VENDOR IMPLICATIONS: Organizations purchasing Okta enterprise services should assess whether Okta's collection of professional data (employer, job title) about their employees through Okta's own website properties creates any data handling obligations under their own internal privacy programs. COMPLIANCE CONSIDERATIONS: Legal teams should review whether Okta's cookie consent mechanism meets ePrivacy Directive standards for EU visitors and whether the disclosed categories of inferred data are sufficient to satisfy CCPA category disclosure requirements. A data mapping audit should verify that all third-party analytics and advertising tags embedded in Okta's properties are disclosed.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Data Controller vs. Processor Dual-Role Distinction medium
• Third-Party Data Sharing for Advertising and Analytics medium
• Cross-Border Data Transfers medium
• California Resident Privacy Rights (CCPA/CPRA) low
• Cookie and Tracking Technology Use medium
• Data Retention low

Related Analysis

• Netflix Updated Terms Authorize Voice Data Collection: April 2026

  Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.

• What Google Actually Knows About You

  Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.