Okta Privacy Policy

This document is Okta's public-facing privacy policy governing the collection, use, and disclosure of personal data by Okta, Inc. and its subsidiaries in connection with their websites, marketing activities, and corporate operations, with the Customer Agreement and Data Processing Addendum governing data processed within Okta's identity and access management products. The policy states that Okta collects identifiers, device and usage data, professional information, and inferred data through direct interaction, automated technologies (including cookies and tracking pixels), and third-party partners; the terms authorize use of this data for product delivery, marketing, analytics, fraud prevention, and sharing with service providers, business partners, and affiliates. Notably, the policy explicitly distinguishes 'Okta as controller' (website and marketing data) from 'Okta as processor' (customer-configured service data governed by separate agreements), a structural separation that is operationally significant for enterprise customers evaluating data liability, though it places direct privacy obligations for end-user data generated within deployed Okta products largely on the enterprise customer rather than Okta itself. The policy references compliance with GDPR, CCPA/CPRA, and related frameworks, designating Okta Ireland Limited as the EEA controller and noting Standard Contractual Clauses as the primary cross-border transfer mechanism; California residents are granted enumerated rights including opt-out of sale or sharing of personal information, and the policy's statement that Okta does not sell personal data in the traditional sense requires evaluation against CCPA's broad definition of 'sharing' for cross-context behavioral advertising. Material compliance considerations include the adequacy of consent mechanisms for marketing cookies, the scope of third-party analytics integrations, and whether the controller-processor boundary is clearly documented in enterprise data processing agreements.