Vanessa Wu said she first found out about Rippling, a fast-growing startup for managing employee data, because she was fascinated by password managers and thought Rippling had a nice one. But since she joined the company as its general counsel in 2019, she's found herself thinking about privacy on an even broader level.

Rippling's job is to store and share all of a company's data, from logins to payroll to employees' most personal information. That means Wu and her team are at the center of a burgeoning debate in the tech world over how, exactly, companies should use that data. Many are still figuring out what GDPR, CCPA, CPRA and the rest of the world's hodgepodge of privacy legislation mean for their business and internal processes.

Get daily insights from the Protocol team in your inbox

Wu joined the Source Code Podcast to talk about Rippling's approach, privacy in the workplace, employers spying on their employees and more.

Subscribe to the show: Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | RSS

Below are excerpts from our interview, condensed and edited for length and clarity.

One thing I've heard you talk about a lot is the idea that there's a difference between HR data and employee data. Can you explain what you mean?

I think the "aha" moment, the secret sauce of Rippling, is saying: "Hey, so many business systems are built off of employee data. And that's what creates so much administrative pain for companies." It's the fact that they don't have a unified system for understanding all of their employee data or HR data. So what I mean by that is, if you are running payroll for somebody at your company, and that person gets married [or] has a kid, that changes their benefits, which changes their payroll, which historically was a whole team of people behind the scenes at whatever large company you're working at literally copying fields from spreadsheet to spreadsheet to make sure that your pay accounted for those differences and benefits deductions that you are going to have to pay.

And that's why it doesn't update automatically. You think it should, but it doesn't. And now we have a whole security component to it. When people leave your company, you don't want them to have access to all your confidential information. So you have to talk to IT [and] they have to manually deactivate each person because they no longer work at the company. And that's what Rippling is unifying. I think companies just haven't thought about it as one system: Using the employee data — the fact that they're employed, the fact that they've gotten a promotion, the fact that they're no longer with your company — to power all business systems. And from a privacy perspective, that's really cool. Because you can be really respectful of the data for each use case.

There's an interesting connection there between how you think about something like ad tech and something like employee data, because it's sort of the same thing, right? You're saying, "We are going to take a lot of information about you, we're going to put it all in one place and then we're going to figure out how to treat it usefully and responsibly." And it feels like you're actually sort of solving the same problem from two very different directions.

It's a super similar problem. And I think people don't usually think about it in that way. It just has different public connotations. I think with ad tech, some consumers maybe don't want all of their data linked together so that they can be shown ads on their phone versus their computer versus their TV. And they don't have a good understanding of why that's happening. (It's happening because advertisers are paying the money for that to happen.) Whereas the use case within a company with Rippling makes total sense. Yeah, of course you're going to share that employee data with a system like Rippling so that they can make sure that when someone leaves the company, they don't still have access to all of your systems, or so that when your employee has a kid, that all those benefits transition to payroll. Or when so-and-so is promoted, they suddenly have access to all the tools they need as a manager and the permissions associated with that.

So I think it's just more respectful of the data, because it's very logical. It's just that systems haven't been built with that broad range. Because it's difficult. Like [Rippling cofounder and CEO Parker Conrad] often says, we're building 10 companies at one time. That's our ultimate challenge. People build point solutions because it's a lot easier to wrap your head around building just payroll. There are a ton of public payroll companies with multibillion-dollar valuations. And for us, that's like one of the 10 other things we're building.

We've spent the last four years really reckoning with this personal privacy argument, in a lot of ways for the first time. But the question of how data is supposed to work at work really has not been a thing we've talked a lot about. I think recently we've talked about it more, with these things that log keystrokes when people are at home to make sure people are working, and wearables to track you and stuff. But have we ever actually had a broader conversation about employee data? Is this even a thing people are thinking about at all?

I don't think so. I thought that this year would be the year that we were going to talk about employee data, because the California Consumer Privacy Act went into effect at the beginning of the year with a one-year exemption for employee data. So the idea was that over the course of 2020, we're going to figure out how privacy worked with employee data. That has just been extended to 2022 because of the pandemic so no one's been able to think about it. And then there's the new ballot initiative on the books in California, the CPRA. That would extend that discussion on employee privacy and B2B privacy until 2023. So not only is it not being talked about, it's been extended out further and further into the future.

So where does that put you? Do you just have to guess where we're going to be in a couple of years as you're making decisions about things now?

I really look to Europe as the best guide. The U.S. is never going to adopt all the regulations that Europe does; we're a different country, we have a very different viewpoint on things like digital rights and privacy. But Europe always goes further, I think, than we will. So understanding where they are — and in the fact that we do plan to be a global business someday — that's the best way for us to kind of futureproof our business and understand how we can be respectful of employee data.

What do you take from GDPR as an interesting barometer for where the U.S. might go?

GDPR just is rooted in a couple of foundational principles, one of which is that you need to have a legal basis to process data — so you need to have some legal reason to have the data in the first place, and then you need to process it in the way that you're telling people. And that you should limit your use cases.

So, real example: I'm collecting a social security number from an employee — [a] pretty sensitive piece of data — so that I can feed it to your health insurance carrier and actually get you good benefits. That makes sense! But maybe I don't want you using my social security number to sell it to Experian, who's then going to data-broker that into the ad tech system, just because I'm employed with your company.

This concept isn't that novel, [the idea] that when you give your data to somebody ... they will do with it what they say they will do with it, and nothing more. And it's kind of crazy that that's the novel concept out of GDPR. But some companies are really well situated to do that, and other companies are not.

The big ad tech platforms of the past 10 years, like Google and Facebook and Amazon, do not subscribe to that policy of "when you give us your data, we only do with it what we've said we're going to do with it." That's totally antithetical to their platform model. But I was really attracted to Rippling because it's just sort of organically set up to do that and be respectful and be compliant with these GDPR principles.

I'm curious how you think about privacy in the world right now, more broadly. Every company I talk to is very much still reckoning with how to let people use personal machines, how to keep an eye on whether people are being productive versus respecting their space. "Should people have admin passwords on their computers?" is a question I keep getting from people. What's the most interesting stuff you're seeing?

I've read some of those same articles about people doing, like, keystroke monitoring, and it seems pretty invasive to me. I was a lawyer at a law firm first and we had to bill our time in six-minute increments, but as a result no one ever really monitored what you were doing because you just self-policed. If you weren't billing enough, you just weren't billing enough. And then the assumption is you're not working. That had a lot of downsides, but I think the flip side is there is a lot of flexibility and no one was ever like, "Are you in the office?" There wasn't this face-time requirement. Whereas I think about the bankers of the world, who put their jackets on their desk chair so their boss thinks they're in the office even if they're not, because face time is such an important thing. They're just sitting there to sit there.

I think the pandemic has kind of revealed everyone's worst fears and attributes in that sense. But it has also really highlighted it, too: Is it really necessary to be face-to-face with someone, even though you're doing no work, to still be a productive individual? And so I see a lot of those things as bad behavior, but hopefully the pandemic is helping people learn to get a little more trust. But I do think those tools and those practices should probably be more closely scrutinized.

The thing people in the U.S. don't realize, though, is that they don't really have rights to challenge those practices, except by not working at those employers. I would just personally like to see more attention to that, because I think some of those practices are pretty poor.

Employees have no leverage in this, right? In the same way that you sort of can't avoid Google, even if you'd like to.

Yeah, I think it's a power imbalance between the employer and employee, because we're very transactional about it in the U.S. It's like, "just go work somewhere else," whether or not that's truly a reality. I am personally all for additional employee privacy legislation. I think the pandemic has shown some of the creepier ways in which employers are trying to [exert] control over their employees. And some limits should be placed on that, rather than it just being a free-for-all.

Why don't we have privacy legislation yet? It seems like in part we're arguing about what federal privacy legislation is supposed to look like. But in part, it just doesn't seem like anybody really cares.

Yeah, I don't think Americans believe in privacy universally. And it's not a constitutional right. It's like, we have a right to free speech, we have a right to bear arms, we don't have a right to privacy in our federal constitution. And you do have that in Europe. So I think it's always just battling against, "Well, what about my speech!" Americans just don't care as much.

In the meantime, what can you as general counsel at a tech company, or any tech company in general, do? It feels like something is inevitably going to happen in the next couple years. You don't want to build a whole privacy and data infrastructure that then becomes immediately outdated by this new system, but also doing nothing seems like a bad idea. How do you exist in this limbo?

I think the coolest thing about the GC community is a lot of GCs have started focusing on privacy. When I left my law firm way back when, I was like, "I'm gonna focus on privacy, you know, away from antitrust," and they were like: "That's not a big enough issue. We don't have privacy practice." And now they do. So fast forward a few years, and privacy has become a lot more top of mind in the legal community. So GCs, I think, have been thinking about setting up that GDPR framework in the U.S., and also these California laws. GCs are terrified of the California laws.