ADP keeps your personal data for as long as needed to provide services and comply with legal requirements, with the specific length of time determined by the type of data and applicable law.
This analysis describes what ADP's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Without specific retention timelines for each data category, it is difficult for individuals or employers to predict when their data will be deleted, which affects the practical ability to enforce deletion rights.
Interpretive note: The policy describes criteria for retention rather than specific timelines, leaving the actual retention period for most data categories unclear and context-dependent.
ADP deleted the cookie preference management tool that previously allowed users to understand and control which cookies were placed on their devices, including functional, analytics, and advertising …
ADP does not commit to specific retention periods for most data categories in this policy, meaning payroll, health, and financial data may be retained for extended periods at ADP's discretion within legal bounds, limiting the practical effectiveness of deletion requests.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
Monitoring
ADP has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Statement, unless a longer retention period is required or permitted by law. The criteria used to determine our retention periods include: the length of time we have an ongoing relationship with you and provide services to you; whether there is a legal obligation to which we are subject; and whether retention is advisable in light of our legal position.— Excerpt from ADP's ADP Privacy Statement
REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires personal data to be kept in a form that permits identification no longer than necessary for the specified purpose. Vague retention criteria without specific timelines may not satisfy GDPR's storage limitation principle as interpreted by EU DPAs. The relevant enforcement authorities are national DPAs. US state laws including CCPA do not prescribe specific retention periods but require that retention is consistent with disclosed purposes. GOVERNANCE EXPOSURE: Medium. The policy's criteria-based approach to retention without specifying timelines for defined data categories is common in corporate privacy notices but may be challenged by regulators expecting more specificity, particularly for sensitive data categories. Employer-clients may face difficulty demonstrating to auditors that their data is deleted in accordance with their own retention policies if ADP's retention practices are not transparently documented. JURISDICTION FLAGS: EU and UK create the highest exposure for vague retention language given GDPR's storage limitation requirements. Several EU DPAs have issued enforcement actions against organizations with insufficiently specific retention schedules. California and other US state frameworks may also require that retention periods be disclosed in privacy notices. CONTRACT AND VENDOR IMPLICATIONS: Employer-clients should negotiate specific retention timelines for their employee data in their DPA with ADP, particularly for sensitive categories. Procurement teams should request ADP's internal data retention schedule as part of vendor due diligence. Contracts should specify ADP's obligations to delete or return data upon termination of the service relationship. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether ADP's retention criteria align with organizational data retention policies and applicable law. Data mapping exercises should document expected retention periods for each ADP-processed data category. Upon service termination, organizations should confirm in writing the data deletion or return timeline with ADP.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Without specific retention timelines for each data category, it is difficult for individuals or employers to predict when their data will be deleted, which affects the practical ability to enforce deletion rights.
ADP does not commit to specific retention periods for most data categories in this policy, meaning payroll, health, and financial data may be retained for extended periods at ADP's discretion within legal bounds, limiting the practical effectiveness of deletion requests.
ConductAtlas has identified this type of provision across 115 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by ADP.