California CCPA Supplement and Opt-Out Rights

What it is

The policy directs California residents to a separate CCPA-specific notice for information about their rights under California privacy law, including rights to access, deletion, correction, and opt-out of data sale or sharing.

Why it matters (compliance & governance perspective)

This provision identifies a jurisdiction-specific supplement that governs California residents' data rights, which is operationally significant because CPRA rights including the right to opt out of sale or sharing for targeted advertising apply to ADP's data controller activities and are governed by the California notice rather than the global policy.

This document changed recently

Consumer impact (what this means for users)

California residents' privacy rights under CCPA and CPRA, including the right to know what personal data is collected, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal data, are addressed in a separate California-specific notice referenced by the policy rather than in the global privacy statement itself.

What you can do

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: This provision engages the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General. The CPRA expands CCPA rights to include correction, sensitive data restrictions, and opt-out of sharing for behavioral advertising in addition to sale. The provision also engages any California-specific requirements for employee and business contact data under CPRA's expanded scope. 2) GOVERNANCE EXPOSURE: Medium. The adequacy of the California supplement, particularly whether it includes a functional opt-out mechanism for data sale and sharing, a description of sensitive personal information collected, and retention periods, is subject to CPPA enforcement. Organizations that share employee data with ADP and California employees interact with ADP platforms should ensure their own CCPA notices reflect ADP's role. 3) JURISDICTION FLAGS: California residents including both ADP direct service users and employees of ADP client organizations (where ADP may act as a service provider under CCPA) are the primary affected population. The CPPA has enforcement authority and has issued regulations under CPRA that specify notice content requirements, opt-out signal recognition, and retention disclosure obligations. 4) CONTRACT AND VENDOR IMPLICATIONS: ADP client organizations with California employees should confirm whether ADP's CCPA classification as a service provider (processor) or third party (controller) for various data categories is consistent with the organizations' own CCPA privacy notices and data processing agreements. If ADP qualifies as a service provider, the service agreement must prohibit ADP from using California employee data for its own commercial purposes. 5) COMPLIANCE CONSIDERATIONS: Legal teams should review the full text of ADP's California CCPA supplement to verify that opt-out mechanisms, sensitive data rights, retention disclosures, and the list of data categories sold or shared are complete and current under CPRA regulations. The California supplement should also address whether ADP honors Global Privacy Control (GPC) signals as required by CPPA regulations.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Controller-Processor Distinction for Client Employee Data high
• EU Binding Corporate Rules for Cross-Border Data Transfers medium
• Third-Party Data Sharing with Analytics and Advertising Vendors medium
• Data Subject Rights and Contact Mechanisms medium
• HR and Payroll Data Processing Scope high
• Cookie and Tracking Technology Use medium