The policy establishes that jurisdiction-specific supplements govern local law rights and disclosures for users in specific geographies, with the global policy serving as a baseline that regional notices modify or supplement.
This analysis describes what ADP's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The layered supplement structure means that the applicable privacy terms for any given user depend on their jurisdiction, and the global policy alone does not constitute a complete disclosure of rights and obligations for users in regulated jurisdictions such as the EU, UK, Canada, or California.
Interpretive note: The content of individual regional supplements is not reproduced in the document text provided; the adequacy of each supplement under applicable local law cannot be assessed from the global policy alone.
ADP deleted the cookie preference management tool that previously allowed users to understand and control which cookies were placed on their devices, including functional, analytics, and advertising cookies. The removal eliminates the transparency mechanism through which users could consent to or opt out of different cookie categories. The practical effect depends on whether ADP has replaced this functionality elsewhere or whether cookies continue to be placed without equivalent granular user control.
View change record →Under this structure, the rights available to an individual, the legal bases for processing, the retention periods, and the contact mechanisms for data rights requests all vary by jurisdiction and are disclosed in regional supplements that must be accessed separately from the global privacy statement.
How other platforms handle this
Depending on where you live, you may have certain rights with respect to your personal information, such as the right to request access, correction, or deletion of your personal information, or to opt out of the sale or sharing of your personal information. If you are a California resident, you have...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
ADP has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"This Privacy Statement is supplemented by jurisdiction-specific notices that provide additional information about our privacy practices and your rights under local law. Please refer to the applicable regional supplement for your jurisdiction.— Excerpt from ADP's ADP Privacy Statement
1) REGULATORY LANDSCAPE: The supplement structure is designed to address jurisdiction-specific requirements under GDPR, UK GDPR, CCPA/CPRA, Canadian PIPEDA and provincial laws, Australian Privacy Act, and other national frameworks. Each supplement must independently satisfy the notice requirements of the applicable law, including content requirements specified by GDPR Articles 13 and 14, CCPA notice at collection requirements, and equivalent local standards. 2) GOVERNANCE EXPOSURE: Medium. The adequacy of each regional supplement is independently assessable by the applicable supervisory authority. A deficiency in one regional supplement (for example, failure to disclose retention periods or lawful bases for processing in the EU supplement) does not affect the global policy but creates localized regulatory exposure. The number of jurisdictions in which ADP operates and the maintenance burden of keeping all supplements current creates ongoing compliance risk. 3) JURISDICTION FLAGS: The EU and UK supplements carry the highest regulatory scrutiny given GDPR and UK GDPR enforcement records. The California supplement is subject to CPPA oversight. Canadian supplements must address both federal PIPEDA and provincial laws (Quebec Law 25 in particular has introduced significant new obligations effective 2023). ADP operates in more than 140 countries according to its corporate disclosures, and the completeness of supplement coverage across all jurisdictions should be verified. 4) CONTRACT AND VENDOR IMPLICATIONS: ADP client organizations that operate in multiple jurisdictions should identify which regional supplements apply to their employees and confirm that those supplements are referenced in their own employee privacy notices. Where ADP acts as a processor, the employer remains responsible for ensuring that the ADP-provided regional supplement is consistent with the employer's own GDPR or local law privacy notices. 5) COMPLIANCE CONSIDERATIONS: Legal teams should conduct a periodic review of all applicable regional supplements to confirm currency with legislative changes, including CPRA regulatory updates, UK GDPR post-Brexit developments, and Quebec Law 25 implementation requirements. The review schedule should account for ADP's update notification practices and whether users or client organizations are proactively notified of supplement changes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The layered supplement structure means that the applicable privacy terms for any given user depend on their jurisdiction, and the global policy alone does not constitute a complete disclosure of rights and obligations for users in regulated jurisdictions such as the EU, UK, Canada, or California.
Under this structure, the rights available to an individual, the legal bases for processing, the retention periods, and the contact mechanisms for data rights requests all vary by jurisdiction and are disclosed in regional supplements that must be accessed separately from the global privacy statement.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by ADP.