Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is Okta's privacy policy explaining how the company collects and uses your personal information when you visit their website, attend their events, or interact with their marketing. The most important thing to know is that Okta collects a wide range of data including your contact details, device identifiers, browsing behavior on okta.com, and information purchased from third-party data providers, and shares this with advertising and analytics partners. If you are a California resident, you can opt out of the sharing of your personal information for advertising purposes through Okta's cookie preference center or by submitting a request at their privacy rights portal.
This document is Okta's public-facing privacy policy governing the collection, use, and disclosure of personal data by Okta, Inc. and its subsidiaries in connection with their websites, marketing activities, and corporate operations, with the Customer Agreement and Data Processing Addendum governing data processed within Okta's identity and access management products. The policy states that Okta collects identifiers, device and usage data, professional information, and inferred data through direct interaction, automated technologies (including cookies and tracking pixels), and third-party partners; the terms authorize use of this data for product delivery, marketing, analytics, fraud prevention, and sharing with service providers, business partners, and affiliates. Notably, the policy explicitly distinguishes 'Okta as controller' (website and marketing data) from 'Okta as processor' (customer-configured service data governed by separate agreements), a structural separation that is operationally significant for enterprise customers evaluating data liability, though it places direct privacy obligations for end-user data generated within deployed Okta products largely on the enterprise customer rather than Okta itself. The policy references compliance with GDPR, CCPA/CPRA, and related frameworks, designating Okta Ireland Limited as the EEA controller and noting Standard Contractual Clauses as the primary cross-border transfer mechanism; California residents are granted enumerated rights including opt-out of sale or sharing of personal information, and the policy's statement that Okta does not sell personal data in the traditional sense requires evaluation against CCPA's broad definition of 'sharing' for cross-context behavioral advertising. Material compliance considerations include the adequacy of consent mechanisms for marketing cookies, the scope of third-party analytics integrations, and whether the controller-processor boundary is clearly documented in enterprise data processing agreements.
Institutional analysis available with Professional
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.
Start Professional free trial2 important changes detected
3 versions captured · Last updated: May 2026
Monitoring
Okta has updated this document before.
Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
Professional Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Professional free trialCross-platform context
See how other platforms handle Controller-Processor Bifurcation and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.