ADP keeps your personal data for as long as needed to provide services and comply with legal requirements, with the specific length of time determined by the type of data and applicable law.
This analysis describes what ADP's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Without specific retention timelines for each data category, it is difficult for individuals or employers to predict when their data will be deleted, which affects the practical ability to enforce deletion rights.
Interpretive note: The policy describes criteria for retention rather than specific timelines, leaving the actual retention period for most data categories unclear and context-dependent.
ADP deleted the cookie preference management tool that previously allowed users to understand and control which cookies were placed on their devices, including functional, analytics, and advertising cookies. The removal eliminates the transparency mechanism through which users could consent to or opt out of different cookie categories. The practical effect depends on whether ADP has replaced this functionality elsewhere or whether cookies continue to be placed without equivalent granular user control.
View change record →ADP does not commit to specific retention periods for most data categories in this policy, meaning payroll, health, and financial data may be retained for extended periods at ADP's discretion within legal bounds, limiting the practical effectiveness of deletion requests.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
ADP has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Statement, unless a longer retention period is required or permitted by law. The criteria used to determine our retention periods include: the length of time we have an ongoing relationship with you and provide services to you; whether there is a legal obligation to which we are subject; and whether retention is advisable in light of our legal position.— Excerpt from ADP's ADP Privacy Statement
REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires personal data to be kept in a form that permits identification no longer than necessary for the specified purpose. Vague retention criteria without specific timelines may not satisfy GDPR's storage limitation principle as interpreted by EU DPAs. The relevant enforcement authorities are national DPAs. US state laws including CCPA do not prescribe specific retention periods but require that retention is consistent with disclosed purposes. GOVERNANCE EXPOSURE: Medium. The policy's criteria-based approach to retention without specifying timelines for defined data categories is common in corporate privacy notices but may be challenged by regulators expecting more specificity, particularly for sensitive data categories. Employer-clients may face difficulty demonstrating to auditors that their data is deleted in accordance with their own retention policies if ADP's retention practices are not transparently documented. JURISDICTION FLAGS: EU and UK create the highest exposure for vague retention language given GDPR's storage limitation requirements. Several EU DPAs have issued enforcement actions against organizations with insufficiently specific retention schedules. California and other US state frameworks may also require that retention periods be disclosed in privacy notices. CONTRACT AND VENDOR IMPLICATIONS: Employer-clients should negotiate specific retention timelines for their employee data in their DPA with ADP, particularly for sensitive categories. Procurement teams should request ADP's internal data retention schedule as part of vendor due diligence. Contracts should specify ADP's obligations to delete or return data upon termination of the service relationship. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether ADP's retention criteria align with organizational data retention policies and applicable law. Data mapping exercises should document expected retention periods for each ADP-processed data category. Upon service termination, organizations should confirm in writing the data deletion or return timeline with ADP.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Without specific retention timelines for each data category, it is difficult for individuals or employers to predict when their data will be deleted, which affects the practical ability to enforce deletion rights.
ADP does not commit to specific retention periods for most data categories in this policy, meaning payroll, health, and financial data may be retained for extended periods at ADP's discretion within legal bounds, limiting the practical effectiveness of deletion requests.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by ADP.