The privacy fight is heading to the office

Vanessa Wu, Rippling's general counsel, talks about remote work, employee data and why privacy legislation needs to apply in the office.

The privacy fight is heading to the office
You can track employees working from home. But should you?
Photo: MHJ/Getty Images

Vanessa Wu said she first found out about Rippling, a fast-growing startup for managing employee data, because she was fascinated by password managers and thought Rippling had a nice one. But since she joined the company as its general counsel in 2019, she's found herself thinking about privacy on an even broader level.

Rippling's job is to store and share all of a company's data, from logins to payroll to employees' most personal information. That means Wu and her team are at the center of a burgeoning debate in the tech world over how, exactly, companies should use that data. Many are still figuring out what GDPR, CCPA, CPRA and the rest of the world's hodgepodge of privacy legislation mean for their business and internal processes.

Wu joined the Source Code Podcast to talk about Rippling's approach, privacy in the workplace, employers spying on their employees and more.

Subscribe to the show: Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | RSS

Below are excerpts from our interview, condensed and edited for length and clarity.

One thing I've heard you talk about a lot is the idea that there's a difference between HR data and employee data. Can you explain what you mean?

I think the "aha" moment, the secret sauce of Rippling, is saying: "Hey, so many business systems are built off of employee data. And that's what creates so much administrative pain for companies." It's the fact that they don't have a unified system for understanding all of their employee data or HR data. So what I mean by that is, if you are running payroll for somebody at your company, and that person gets married [or] has a kid, that changes their benefits, which changes their payroll, which historically was a whole team of people behind the scenes at whatever large company you're working at literally copying fields from spreadsheet to spreadsheet to make sure that your pay accounted for those differences and benefits deductions that you are going to have to pay.

And that's why it doesn't update automatically. You think it should, but it doesn't. And now we have a whole security component to it. When people leave your company, you don't want them to have access to all your confidential information. So you have to talk to IT [and] they have to manually deactivate each person because they no longer work at the company. And that's what Rippling is unifying. I think companies just haven't thought about it as one system: Using the employee data — the fact that they're employed, the fact that they've gotten a promotion, the fact that they're no longer with your company — to power all business systems. And from a privacy perspective, that's really cool. Because you can be really respectful of the data for each use case.

There's an interesting connection there between how you think about something like ad tech and something like employee data, because it's sort of the same thing, right? You're saying, "We are going to take a lot of information about you, we're going to put it all in one place and then we're going to figure out how to treat it usefully and responsibly." And it feels like you're actually sort of solving the same problem from two very different directions.

It's a super similar problem. And I think people don't usually think about it in that way. It just has different public connotations. I think with ad tech, some consumers maybe don't want all of their data linked together so that they can be shown ads on their phone versus their computer versus their TV. And they don't have a good understanding of why that's happening. (It's happening because advertisers are paying the money for that to happen.) Whereas the use case within a company with Rippling makes total sense. Yeah, of course you're going to share that employee data with a system like Rippling so that they can make sure that when someone leaves the company, they don't still have access to all of your systems, or so that when your employee has a kid, that all those benefits transition to payroll. Or when so-and-so is promoted, they suddenly have access to all the tools they need as a manager and the permissions associated with that.

So I think it's just more respectful of the data, because it's very logical. It's just that systems haven't been built with that broad range. Because it's difficult. Like [Rippling cofounder and CEO Parker Conrad] often says, we're building 10 companies at one time. That's our ultimate challenge. People build point solutions because it's a lot easier to wrap your head around building just payroll. There are a ton of public payroll companies with multibillion-dollar valuations. And for us, that's like one of the 10 other things we're building.

We've spent the last four years really reckoning with this personal privacy argument, in a lot of ways for the first time. But the question of how data is supposed to work at work really has not been a thing we've talked a lot about. I think recently we've talked about it more, with these things that log keystrokes when people are at home to make sure people are working, and wearables to track you and stuff. But have we ever actually had a broader conversation about employee data? Is this even a thing people are thinking about at all?

I don't think so. I thought that this year would be the year that we were going to talk about employee data, because the California Consumer Privacy Act went into effect at the beginning of the year with a one-year exemption for employee data. So the idea was that over the course of 2020, we're going to figure out how privacy worked with employee data. That has just been extended to 2022 because of the pandemic so no one's been able to think about it. And then there's the new ballot initiative on the books in California, the CPRA. That would extend that discussion on employee privacy and B2B privacy until 2023. So not only is it not being talked about, it's been extended out further and further into the future.

So where does that put you? Do you just have to guess where we're going to be in a couple of years as you're making decisions about things now?

I really look to Europe as the best guide. The U.S. is never going to adopt all the regulations that Europe does; we're a different country, we have a very different viewpoint on things like digital rights and privacy. But Europe always goes further, I think, than we will. So understanding where they are — and in the fact that we do plan to be a global business someday — that's the best way for us to kind of futureproof our business and understand how we can be respectful of employee data.

What do you take from GDPR as an interesting barometer for where the U.S. might go?

GDPR just is rooted in a couple of foundational principles, one of which is that you need to have a legal basis to process data — so you need to have some legal reason to have the data in the first place, and then you need to process it in the way that you're telling people. And that you should limit your use cases.

So, real example: I'm collecting a social security number from an employee — [a] pretty sensitive piece of data — so that I can feed it to your health insurance carrier and actually get you good benefits. That makes sense! But maybe I don't want you using my social security number to sell it to Experian, who's then going to data-broker that into the ad tech system, just because I'm employed with your company.

This concept isn't that novel, [the idea] that when you give your data to somebody ... they will do with it what they say they will do with it, and nothing more. And it's kind of crazy that that's the novel concept out of GDPR. But some companies are really well situated to do that, and other companies are not.

The big ad tech platforms of the past 10 years, like Google and Facebook and Amazon, do not subscribe to that policy of "when you give us your data, we only do with it what we've said we're going to do with it." That's totally antithetical to their platform model. But I was really attracted to Rippling because it's just sort of organically set up to do that and be respectful and be compliant with these GDPR principles.

I'm curious how you think about privacy in the world right now, more broadly. Every company I talk to is very much still reckoning with how to let people use personal machines, how to keep an eye on whether people are being productive versus respecting their space. "Should people have admin passwords on their computers?" is a question I keep getting from people. What's the most interesting stuff you're seeing?

I've read some of those same articles about people doing, like, keystroke monitoring, and it seems pretty invasive to me. I was a lawyer at a law firm first and we had to bill our time in six-minute increments, but as a result no one ever really monitored what you were doing because you just self-policed. If you weren't billing enough, you just weren't billing enough. And then the assumption is you're not working. That had a lot of downsides, but I think the flip side is there is a lot of flexibility and no one was ever like, "Are you in the office?" There wasn't this face-time requirement. Whereas I think about the bankers of the world, who put their jackets on their desk chair so their boss thinks they're in the office even if they're not, because face time is such an important thing. They're just sitting there to sit there.

I think the pandemic has kind of revealed everyone's worst fears and attributes in that sense. But it has also really highlighted it, too: Is it really necessary to be face-to-face with someone, even though you're doing no work, to still be a productive individual? And so I see a lot of those things as bad behavior, but hopefully the pandemic is helping people learn to get a little more trust. But I do think those tools and those practices should probably be more closely scrutinized.

The thing people in the U.S. don't realize, though, is that they don't really have rights to challenge those practices, except by not working at those employers. I would just personally like to see more attention to that, because I think some of those practices are pretty poor.

Employees have no leverage in this, right? In the same way that you sort of can't avoid Google, even if you'd like to.

Yeah, I think it's a power imbalance between the employer and employee, because we're very transactional about it in the U.S. It's like, "just go work somewhere else," whether or not that's truly a reality. I am personally all for additional employee privacy legislation. I think the pandemic has shown some of the creepier ways in which employers are trying to [exert] control over their employees. And some limits should be placed on that, rather than it just being a free-for-all.

Why don't we have privacy legislation yet? It seems like in part we're arguing about what federal privacy legislation is supposed to look like. But in part, it just doesn't seem like anybody really cares.

Yeah, I don't think Americans believe in privacy universally. And it's not a constitutional right. It's like, we have a right to free speech, we have a right to bear arms, we don't have a right to privacy in our federal constitution. And you do have that in Europe. So I think it's always just battling against, "Well, what about my speech!" Americans just don't care as much.

In the meantime, what can you as general counsel at a tech company, or any tech company in general, do? It feels like something is inevitably going to happen in the next couple years. You don't want to build a whole privacy and data infrastructure that then becomes immediately outdated by this new system, but also doing nothing seems like a bad idea. How do you exist in this limbo?

I think the coolest thing about the GC community is a lot of GCs have started focusing on privacy. When I left my law firm way back when, I was like, "I'm gonna focus on privacy, you know, away from antitrust," and they were like: "That's not a big enough issue. We don't have privacy practice." And now they do. So fast forward a few years, and privacy has become a lot more top of mind in the legal community. So GCs, I think, have been thinking about setting up that GDPR framework in the U.S., and also these California laws. GCs are terrified of the California laws.

Entertainment

Google is developing a low-end Chromecast with Google TV

The new dongle will run the Google TV interface, but it won’t support 4K streaming.

The Chromecast with Google TV dongle combined 4K streaming with the company’s Google TV interface. Now, Google is looking to launch a cheaper version.

Photo: Google

Google is working on a new streaming device that caters to people with older TV sets: The next Chromecast streaming dongle will run its Google TV interface and ship with a remote control, but it won’t support 4K streaming. The device will instead max out at a resolution of 1080p, Protocol has learned from a source with close knowledge of the company’s plans.

A Google spokesperson declined to comment.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

COVID-19 accelerated what many CEOs and CTOs have struggled to do for the past decade: It forced organizations to be agile and adjust quickly to change. For all the talk about digital transformation over the past decade, when push came to shove, many organizations realized they had made far less progress than they thought.

Now with the genie of rapid change out of the bottle, we will never go back to accepting slow and steady progress from our organizations. To survive and thrive in times of disruption, you need to build a resilient, adaptable business with systems and processes that will keep you nimble for years to come. An essential part of business agility is responding to change by quickly developing new applications and adapting old ones. IT faces an unprecedented demand for new applications. According to IDC, by 2023, more than 500 million digital applications and services will be developed and deployed — the same number of apps that were developed in the last 40 years.[1]

Keep Reading Show less
Denise Broady, CMO, Appian
Denise oversees the Marketing and Communications organization where she is responsible for accelerating the marketing strategy and brand recognition across the globe. Denise has over 24+ years of experience as a change agent scaling businesses from startups, turnarounds and complex software companies. Prior to Appian, Denise worked at SAP, WorkForce Software, TopTier and Clarkston Group. She is also a two-time published author of “GRC for Dummies” and “Driven to Perform.” Denise holds a double degree in marketing and production and operations from Virginia Tech.
Enterprise

Why software releases should be quick but 'palatable and realistic'

Modern software developers release updates much more quickly than in the past, which is great for security and adding new capabilities. But Edith Harbaugh thinks business leaders need a little control of that schedule.

LaunchDarkly was founded in 2014 to help companies manage the software release cycle.

Photo: LaunchDarkly

Gone are the days of quarterly or monthly software update release cycles; today’s software development organizations release updates and fixes on a much more frequent basis. Edith Harbaugh just wants to give business leaders a modicum of control over the process.

The CEO of LaunchDarkly, which was founded in 2014 to help companies manage the software release cycle, is trying to reach customers who want to move fast but understand that moving fast and breaking things won’t work for them. Companies that specialize in continuous integration and continuous delivery services have thrived over the last few years as customers look for help shipping at speed, and LaunchDarkly extends those capabilities to smaller features of existing software.

Keep Reading Show less
Tom Krazit

Tom Krazit ( @tomkrazit) is Protocol's enterprise editor, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire, and served as executive editor of Gigaom and Structure.

Boost 2

Can Matt Mullenweg save the internet?

He's turning Automattic into a different kind of tech giant. But can he take on the trillion-dollar walled gardens and give the internet back to the people?

Matt Mullenweg, CEO of Automattic and founder of WordPress, poses for Protocol at his home in Houston, Texas.
Photo: Arturo Olmos for Protocol

In the early days of the pandemic, Matt Mullenweg didn't move to a compound in Hawaii, bug out to a bunker in New Zealand or head to Miami and start shilling for crypto. No, in the early days of the pandemic, Mullenweg bought an RV. He drove it all over the country, bouncing between Houston and San Francisco and Jackson Hole with plenty of stops in national parks. In between, he started doing some tinkering.

The tinkering is a part-time gig: Most of Mullenweg’s time is spent as CEO of Automattic, one of the web’s largest platforms. It’s best known as the company that runs WordPress.com, the hosted version of the blogging platform that powers about 43% of the websites on the internet. Since WordPress is open-source software, no company technically owns it, but Automattic provides tools and services and oversees most of the WordPress-powered internet. It’s also the owner of the booming ecommerce platform WooCommerce, Day One, the analytics tool Parse.ly and the podcast app Pocket Casts. Oh, and Tumblr. And Simplenote. And many others. That makes Mullenweg one of the most powerful CEOs in tech, and one of the most important voices in the debate over the future of the internet.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Workplace

Building an antiracist company: From idea to practice

Twilio’s chief diversity officer says it’s time for a new approach to DEI.

“The most impactful way to prioritize DEI and enable antiracism is to structure your company accordingly,” says Lybra Clemons, chief diversity officer at Twilio.

Photo: Twilio

Lybra Clemons is responsible for guiding and scaling inclusion strategy and diversity initiatives at Twilio.

I’ve been in the corporate diversity, equity and inclusion space for over 15 years. In that time, I’ve seen the field evolve slowly from a “nice-to-have” function of Human Resources to a rising company-wide priority. June 2020 was different. Suddenly my and my peers’ phones started ringing off the hook and DEI leaders became the most sought-after professionals. With so many DEI roles being created and corporate willingness to invest, for a split second it looked like there might be real change on the horizon.

Keep Reading Show less
Lybra Clemons
Lybra S. Clemons is a seasoned C-suite executive with over 15 years of Human Resources, Talent and Diversity & Inclusion experience at Fortune 500 companies. She is responsible for guiding and scaling inclusion strategy and diversity initiatives across Twilio's global workforce. Prior to Twilio, Lybra was global head of Diversity & Inclusion at PayPal, where she managed and oversaw all global diversity initiatives. Lybra has held critical roles in Diversity & Inclusion with Morgan Stanley, The Brunswick Group and American Express. She serves on the board of directors of Makers and How Women Lead Silicon Valley Executive Board of Advisers, and has been recognized by Black Enterprise as one of the Top Corporate Women in Diversity.
China

Why China is outselling the US in EVs 5 to 1

Electric cars made up 14.8% of Chinese car sales in 2021, compared with 4.1% in the U.S.

Passenger EV sales in China in 2021 jumped 169.1% to nearly 3.3 million from a year ago.

Photo: VCG/VCG via Getty Images

When Tesla entered China in 2014, the country’s EV market was going through a reset. The Austin, Texas-based automaker created a catfish effect — a strong competitor that compels weaker peers to up their game — in China’s EV market for the past few years. Now, Tesla’s sardine-sized Chinese competitors have grown into big fishes in the tank, gradually weakening Tesla’s own prominence in the field.

2021 was a banner year for China’s EV industry. The latest data from the China Passenger Car Association shows that total passenger EV sales in China in 2021 jumped 169.1% from a year ago to nearly 2.99 million: about half of all EVs sold globally. Out of every 100 passenger cars sold in China last year, almost 15 were so-called "new energy vehicles" (NEVs) — a mix of battery-electric vehicles and hybrids.

Keep Reading Show less
Shen Lu

Shen Lu covers China's tech industry.

Latest Stories
Bulletins