ADP may collect and process highly sensitive personal information including health data, biometric identifiers, racial or ethnic origin, and union membership when required to deliver services, when you have consented, or for legal purposes.
This analysis describes what ADP's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These are among the most sensitive categories of personal information recognized under privacy law globally. Payroll and HR platforms often require some of this data, but its collection by a single provider at scale creates elevated risk if data is breached or misused.
ADP deleted the cookie preference management tool that previously allowed users to understand and control which cookies were placed on their devices, including functional, analytics, and advertising …
Employees whose employers use ADP for benefits administration or workforce management may have health data, biometric data, or other highly sensitive personal information processed through ADP's platform, which carries elevated privacy risk and triggers heightened regulatory protections in many jurisdictions.
How other platforms handle this
If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...
AWS processes Customer Content you submit to Amazon Bedrock in accordance with the AWS Customer Agreement and applicable data protection terms. AWS does not use Customer Content processed by Amazon Bedrock to train Amazon's foundation models without your consent.
We process many types of data to support business decisioning, including data about people, businesses, organizations, places, economic activity, sustainability, legal, and other significant business events, and third-party risks. Some of the data we process is considered personal data. Some of the ...
Monitoring
ADP has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may collect and use sensitive data where permitted or required by applicable law, where you have given your explicit consent, or where it is necessary for us to establish, exercise or defend legal claims. Sensitive data includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, and data concerning a person's sex life or sexual orientation.— Excerpt from ADP's ADP Privacy Statement
REGULATORY LANDSCAPE: GDPR Article 9 designates these as special categories of personal data requiring explicit consent or another specific legal basis such as employment law necessity. The relevant enforcement authorities are EU national DPAs. In the US, HIPAA may engage if health data processed through ADP constitutes protected health information, though payroll-context health data often falls outside HIPAA's direct coverage. Illinois BIPA specifically governs biometric data collection and requires separate written consent and a published retention policy. GOVERNANCE EXPOSURE: High. The processing of GDPR special category data and biometric data at scale across a multinational payroll platform creates significant compliance obligations. Any breach involving these data types triggers heightened notification requirements under GDPR and various US state laws. The policy's general statement that sensitive data is collected where 'permitted or required by applicable law' is broad and may require more specific legal basis documentation for individual processing activities. JURISDICTION FLAGS: Illinois creates acute exposure for biometric data under BIPA, which provides a private right of action and statutory damages. EU and UK jurisdictions require explicit consent or a specific Article 9(2) exception for each special category processing activity. Several US states including Texas and Washington have biometric privacy statutes that may also apply. CONTRACT AND VENDOR IMPLICATIONS: Employer-clients should assess whether their DPA with ADP specifically addresses special category and biometric data processing, including sub-processor restrictions and deletion timelines. BIPA compliance requires a separately documented biometric data retention and destruction policy that ADP or the employer must publish. COMPLIANCE CONSIDERATIONS: Legal teams should audit which ADP product modules collect biometric or health data and confirm the applicable legal basis for each. Organizations in Illinois using ADP for biometric timekeeping should verify BIPA-compliant consent collection. Data mapping exercises should specifically flag special category flows through ADP systems.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These are among the most sensitive categories of personal information recognized under privacy law globally. Payroll and HR platforms often require some of this data, but its collection by a single provider at scale creates elevated risk if data is breached or misused.
Employees whose employers use ADP for benefits administration or workforce management may have health data, biometric data, or other highly sensitive personal information processed through ADP's platform, which carries elevated privacy risk and triggers heightened regulatory protections in many jurisdictions.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by ADP.