CIAM by example in four recipes: Build for data privacy and compliance

This recipe is part of the series Learn CIAM by example: Four recipes to improve your app’s security and UX. You can learn more about the series by downloading our four recipes in a cookbook format.

In this recipe, you learn how to add passwordless auth to your application using passkeys.

Consumers want to see and do more digitally, and they trust brands that are clear about how their information is used to deliver value.

Getting data privacy right for any user, whether they're your employee, a customer, or someone on contract, is rarely a one-time consideration.

Different regulatory bodies have different compliance requirements depending on the type of data you're working with, whether it’s user access to health information (HIPAA) or personal information relating to individuals in the EU (GDPR).

Data privacy compliance is more than just obtaining the appropriate consent. It’s a framework for appropriate access, which includes the security of your consumer data.

Why is data privacy compliance important?

With bigger organizations comes greater responsibility regarding the depth of compliance required by regulations like GDPR and CCPA. That said, no organization — even the smallest one —  is off the hook when it comes to data privacy — and security is a major component of data privacy. 

Think about how privacy works in the real world. You can put four walls and a door around just about anything. But if the door doesn’t have a lock, is that space private?

Phase 1: Implement an audit log

Per GDPR and CCPA, organizations great and small are obliged to certain auditing practices, and the foundation of these practices begins with an audit compliance layer, also known as an audit log.

Unlike SIEM or system logging tools, audit logging relays the impact of a security incident in a readable prompt — like a historical record of events — to assess the risk associated with an individual’s or group’s actions on your platform, as compared to the permissions they have, and raise a red flag when they don’t match.

With Auth0 by Okta, you don’t need to build your audit log stream. Our logs are ready for auditing out-of-the-box, with several compliance certifications built in to help support compliance readiness.

However, that’s only the beginning. Audit logs tell you what parts of your platform are frequented and what data is visible to your lowest common denominator. It’s up to organizations to mobilize these insights into tangible protection for their consumers and provide tools that give them control over their data.

Phase 2: Consent

Data privacy laws may require organizations to obtain appropriate consent before processing personal data. With Auth0 by Okta professional and enterprise, customers can obtain consent using Custom Prompts.

Custom Prompts is a feature built on the Liquid template language, designed to give developers enhanced control over the login and signup experience, with partial templates at various entry points. Basically, with a bit of HTML, CSS, and Javascript, teams can bootstrap their consent efforts with Auth0 by Okta’s cloud-hosted Universal Login.

These partial templates can accomplish granular consent and capture other information at different points in the authentication journey, powered by Auth0 by Okta Actions. In this recipe, we will add a signup prompt using Actions.



  1. Let’s load our partial consent template into our login with an API call.
    Here’s the consent partial.

  <div class="ulp-field">





    <label for="terms-of-service">

      I accept the

      <a href="">terms and conditions</a>



Add this to a curl command, and go. 

# Add your own tenant info




curl -X PUT \

-H 'Content-Type: application/json' \

-H "Authorization: Bearer $TOKEN" \

-d "{\"signup\":{\"form-content-end\":\" <div class= 'ulp-field '> <input type= 'checkbox ' name= 'ulp-terms-of-service ' id= 'terms-of-service '> <label for= 'terms-of-service '> I accept the <a href= ' '>terms and conditions</a> </label> </div> " \



  1. Since Universal Login is ready to support consistent, branded UX, your custom partials will fit right in with the rest of the UI:

nidMQB5xpj6iaenwebsxXtVur3cieP8OoonrtziF83HzX xtoPai7U3C6oLQjhGPHMEje3xRkKPJbjYi1rSxGGB8GqmNSx707NUzH N4PMRVHVVC6 AkjUzujeThZQx3M53yrbHU3Co0he64RCjYmLw


  1. ITo secure this client-side code, we need to take the extra step of creating server-side validation — in the form of a pre-user-registration Action — by navigating to Actions > Library > Build Custom:

    XhUr4 jp01CwIe9Cf8FXIOuqHHG5CZZgoVXoD3IeN9wIfKFY 6ySi jRdETpgv Rtz1uAA2UtMUj 0IhpCeDDMpPpYf8GfGZO7yacPPtdTobFvinSpv7kZWP  csG20fODZEe2ha WXdRU6bdWvUZBo

  2. Add the following code to the Action, which will prevent form validation without consent, then Deploy to save:

exports.onExecutePreUserRegistration = async (event, api) => {

  const termsOfService = event.request.body['ulp-terms-of-service'];

  if(!termsOfService) {

    api.validation.error("invalid_payload", "Please review the terms of service.");



  api.user.setUserMetadata("termsOfService", true);


  1. Navigate to Flows > Pre User Registration, and add your Custom Action:
    H4Juzp4ZJMTIJ0 ZEfEdEd0g6xj3sJIry0iG feG0NSGKjV bFcB pZBg7hJdlOyU 0WrF7X6UW1UxrDcHggRpKQOda0k4FyblQMWKy1szbkjoJzYyYnbg4ithguK4dmXYscs1v 455fc5 4vn7BcFc
  2. Now, when your user gives consent, this will be documented in their profile (User Management > Users) under user_metadata:
    00 epzNDR4SWgqjQy4GsUBHxYHL2VfuCUL2jMNsNFHdyzgZHmMtTDyFnkeikLR1NGrw1F2WGzQaJZUL0w4N5F3KXsNyhVA67l6UgsFr6ZWNdXf 5jGIaib46q8k2fAc8DfetbuTdLS45m4D3c 0aNcU

Phase 3: Preference Center

Data privacy compliance requires that users consent to the collection and use of their personal data and can revoke it and access or correct their data or delete it from your platform.

A Preference Center is a place where users go to manage their preferences, including the newsletters they signed up for and any other service in between that requires explicit consent.

feGM6Rv 2pP0YxR2ED0bZWYy9fmORElOjctTM W5gNpS7m91d4GcqnlBxEcEmYiLv 15yX9Lt0IMpSYjV0RTQBJE48EvEwjvKPgXQ6Asd6wFglJp4lK5608FiO hpTbKsWIvwv6EWd pSxAD7DVAgpc

When organizations invest in an identity solution like Auth0 by Okta, Building preference centers are a breeze through the Auth0 Management API.

Phase ∞: Data security

Malicious actors are just as active as organizations in finding ways to harness the latest technology. Data security has no end game, but Auth0 by Okta has powerful tools and expert personnel at your disposal to keep fraudulent activity off your platform. 

What's next?

With your application secure and compliant, it's time to use CIAM to get a universal view of your consumer across multiple channels.

In our next recipe, we’ll explore CIAM's extensibility by integrating your consumer data into a marketing system. If you want to see that, plus all other recipes, in a comprehensive guide, download our cookbook.