ADP may collect and process highly sensitive personal information including health data, biometric identifiers, racial or ethnic origin, and union membership when required to deliver services, when you have consented, or for legal purposes.
This analysis describes what ADP's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These are among the most sensitive categories of personal information recognized under privacy law globally. Payroll and HR platforms often require some of this data, but its collection by a single provider at scale creates elevated risk if data is breached or misused.
ADP deleted the cookie preference management tool that previously allowed users to understand and control which cookies were placed on their devices, including functional, analytics, and advertising cookies. The removal eliminates the transparency mechanism through which users could consent to or opt out of different cookie categories. The practical effect depends on whether ADP has replaced this functionality elsewhere or whether cookies continue to be placed without equivalent granular user control.
View change record →Employees whose employers use ADP for benefits administration or workforce management may have health data, biometric data, or other highly sensitive personal information processed through ADP's platform, which carries elevated privacy risk and triggers heightened regulatory protections in many jurisdictions.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
ADP has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may collect and use sensitive data where permitted or required by applicable law, where you have given your explicit consent, or where it is necessary for us to establish, exercise or defend legal claims. Sensitive data includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, and data concerning a person's sex life or sexual orientation.— Excerpt from ADP's ADP Privacy Statement
REGULATORY LANDSCAPE: GDPR Article 9 designates these as special categories of personal data requiring explicit consent or another specific legal basis such as employment law necessity. The relevant enforcement authorities are EU national DPAs. In the US, HIPAA may engage if health data processed through ADP constitutes protected health information, though payroll-context health data often falls outside HIPAA's direct coverage. Illinois BIPA specifically governs biometric data collection and requires separate written consent and a published retention policy. GOVERNANCE EXPOSURE: High. The processing of GDPR special category data and biometric data at scale across a multinational payroll platform creates significant compliance obligations. Any breach involving these data types triggers heightened notification requirements under GDPR and various US state laws. The policy's general statement that sensitive data is collected where 'permitted or required by applicable law' is broad and may require more specific legal basis documentation for individual processing activities. JURISDICTION FLAGS: Illinois creates acute exposure for biometric data under BIPA, which provides a private right of action and statutory damages. EU and UK jurisdictions require explicit consent or a specific Article 9(2) exception for each special category processing activity. Several US states including Texas and Washington have biometric privacy statutes that may also apply. CONTRACT AND VENDOR IMPLICATIONS: Employer-clients should assess whether their DPA with ADP specifically addresses special category and biometric data processing, including sub-processor restrictions and deletion timelines. BIPA compliance requires a separately documented biometric data retention and destruction policy that ADP or the employer must publish. COMPLIANCE CONSIDERATIONS: Legal teams should audit which ADP product modules collect biometric or health data and confirm the applicable legal basis for each. Organizations in Illinois using ADP for biometric timekeeping should verify BIPA-compliant consent collection. Data mapping exercises should specifically flag special category flows through ADP systems.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These are among the most sensitive categories of personal information recognized under privacy law globally. Payroll and HR platforms often require some of this data, but its collection by a single provider at scale creates elevated risk if data is breached or misused.
Employees whose employers use ADP for benefits administration or workforce management may have health data, biometric data, or other highly sensitive personal information processed through ADP's platform, which carries elevated privacy risk and triggers heightened regulatory protections in many jurisdictions.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by ADP.