source-codesource codeauthorDavid PierceNoneWant your finger on the pulse of everything that's happening in tech? Sign up to get David Pierce's daily newsletter.64fd3cbe9f
×

Get access to Protocol

Will be used in accordance with our Privacy Policy

I’m already a subscriber

The privacy fight is heading to the office

Vanessa Wu, Rippling's general counsel, talks about remote work, employee data and why privacy legislation needs to apply in the office.

The privacy fight is heading to the office
You can track employees working from home. But should you?
Photo: MHJ/Getty Images

Vanessa Wu said she first found out about Rippling, a fast-growing startup for managing employee data, because she was fascinated by password managers and thought Rippling had a nice one. But since she joined the company as its general counsel in 2019, she's found herself thinking about privacy on an even broader level.

Rippling's job is to store and share all of a company's data, from logins to payroll to employees' most personal information. That means Wu and her team are at the center of a burgeoning debate in the tech world over how, exactly, companies should use that data. Many are still figuring out what GDPR, CCPA, CPRA and the rest of the world's hodgepodge of privacy legislation mean for their business and internal processes.

Wu joined the Source Code Podcast to talk about Rippling's approach, privacy in the workplace, employers spying on their employees and more.

Subscribe to the show: Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | RSS

Below are excerpts from our interview, condensed and edited for length and clarity.

One thing I've heard you talk about a lot is the idea that there's a difference between HR data and employee data. Can you explain what you mean?

I think the "aha" moment, the secret sauce of Rippling, is saying: "Hey, so many business systems are built off of employee data. And that's what creates so much administrative pain for companies." It's the fact that they don't have a unified system for understanding all of their employee data or HR data. So what I mean by that is, if you are running payroll for somebody at your company, and that person gets married [or] has a kid, that changes their benefits, which changes their payroll, which historically was a whole team of people behind the scenes at whatever large company you're working at literally copying fields from spreadsheet to spreadsheet to make sure that your pay accounted for those differences and benefits deductions that you are going to have to pay.

And that's why it doesn't update automatically. You think it should, but it doesn't. And now we have a whole security component to it. When people leave your company, you don't want them to have access to all your confidential information. So you have to talk to IT [and] they have to manually deactivate each person because they no longer work at the company. And that's what Rippling is unifying. I think companies just haven't thought about it as one system: Using the employee data — the fact that they're employed, the fact that they've gotten a promotion, the fact that they're no longer with your company — to power all business systems. And from a privacy perspective, that's really cool. Because you can be really respectful of the data for each use case.

There's an interesting connection there between how you think about something like ad tech and something like employee data, because it's sort of the same thing, right? You're saying, "We are going to take a lot of information about you, we're going to put it all in one place and then we're going to figure out how to treat it usefully and responsibly." And it feels like you're actually sort of solving the same problem from two very different directions.

It's a super similar problem. And I think people don't usually think about it in that way. It just has different public connotations. I think with ad tech, some consumers maybe don't want all of their data linked together so that they can be shown ads on their phone versus their computer versus their TV. And they don't have a good understanding of why that's happening. (It's happening because advertisers are paying the money for that to happen.) Whereas the use case within a company with Rippling makes total sense. Yeah, of course you're going to share that employee data with a system like Rippling so that they can make sure that when someone leaves the company, they don't still have access to all of your systems, or so that when your employee has a kid, that all those benefits transition to payroll. Or when so-and-so is promoted, they suddenly have access to all the tools they need as a manager and the permissions associated with that.

So I think it's just more respectful of the data, because it's very logical. It's just that systems haven't been built with that broad range. Because it's difficult. Like [Rippling cofounder and CEO Parker Conrad] often says, we're building 10 companies at one time. That's our ultimate challenge. People build point solutions because it's a lot easier to wrap your head around building just payroll. There are a ton of public payroll companies with multibillion-dollar valuations. And for us, that's like one of the 10 other things we're building.

We've spent the last four years really reckoning with this personal privacy argument, in a lot of ways for the first time. But the question of how data is supposed to work at work really has not been a thing we've talked a lot about. I think recently we've talked about it more, with these things that log keystrokes when people are at home to make sure people are working, and wearables to track you and stuff. But have we ever actually had a broader conversation about employee data? Is this even a thing people are thinking about at all?

I don't think so. I thought that this year would be the year that we were going to talk about employee data, because the California Consumer Privacy Act went into effect at the beginning of the year with a one-year exemption for employee data. So the idea was that over the course of 2020, we're going to figure out how privacy worked with employee data. That has just been extended to 2022 because of the pandemic so no one's been able to think about it. And then there's the new ballot initiative on the books in California, the CPRA. That would extend that discussion on employee privacy and B2B privacy until 2023. So not only is it not being talked about, it's been extended out further and further into the future.

So where does that put you? Do you just have to guess where we're going to be in a couple of years as you're making decisions about things now?

I really look to Europe as the best guide. The U.S. is never going to adopt all the regulations that Europe does; we're a different country, we have a very different viewpoint on things like digital rights and privacy. But Europe always goes further, I think, than we will. So understanding where they are — and in the fact that we do plan to be a global business someday — that's the best way for us to kind of futureproof our business and understand how we can be respectful of employee data.

What do you take from GDPR as an interesting barometer for where the U.S. might go?

GDPR just is rooted in a couple of foundational principles, one of which is that you need to have a legal basis to process data — so you need to have some legal reason to have the data in the first place, and then you need to process it in the way that you're telling people. And that you should limit your use cases.

So, real example: I'm collecting a social security number from an employee — [a] pretty sensitive piece of data — so that I can feed it to your health insurance carrier and actually get you good benefits. That makes sense! But maybe I don't want you using my social security number to sell it to Experian, who's then going to data-broker that into the ad tech system, just because I'm employed with your company.

This concept isn't that novel, [the idea] that when you give your data to somebody ... they will do with it what they say they will do with it, and nothing more. And it's kind of crazy that that's the novel concept out of GDPR. But some companies are really well situated to do that, and other companies are not.

The big ad tech platforms of the past 10 years, like Google and Facebook and Amazon, do not subscribe to that policy of "when you give us your data, we only do with it what we've said we're going to do with it." That's totally antithetical to their platform model. But I was really attracted to Rippling because it's just sort of organically set up to do that and be respectful and be compliant with these GDPR principles.

I'm curious how you think about privacy in the world right now, more broadly. Every company I talk to is very much still reckoning with how to let people use personal machines, how to keep an eye on whether people are being productive versus respecting their space. "Should people have admin passwords on their computers?" is a question I keep getting from people. What's the most interesting stuff you're seeing?

I've read some of those same articles about people doing, like, keystroke monitoring, and it seems pretty invasive to me. I was a lawyer at a law firm first and we had to bill our time in six-minute increments, but as a result no one ever really monitored what you were doing because you just self-policed. If you weren't billing enough, you just weren't billing enough. And then the assumption is you're not working. That had a lot of downsides, but I think the flip side is there is a lot of flexibility and no one was ever like, "Are you in the office?" There wasn't this face-time requirement. Whereas I think about the bankers of the world, who put their jackets on their desk chair so their boss thinks they're in the office even if they're not, because face time is such an important thing. They're just sitting there to sit there.

I think the pandemic has kind of revealed everyone's worst fears and attributes in that sense. But it has also really highlighted it, too: Is it really necessary to be face-to-face with someone, even though you're doing no work, to still be a productive individual? And so I see a lot of those things as bad behavior, but hopefully the pandemic is helping people learn to get a little more trust. But I do think those tools and those practices should probably be more closely scrutinized.

The thing people in the U.S. don't realize, though, is that they don't really have rights to challenge those practices, except by not working at those employers. I would just personally like to see more attention to that, because I think some of those practices are pretty poor.

Employees have no leverage in this, right? In the same way that you sort of can't avoid Google, even if you'd like to.

Yeah, I think it's a power imbalance between the employer and employee, because we're very transactional about it in the U.S. It's like, "just go work somewhere else," whether or not that's truly a reality. I am personally all for additional employee privacy legislation. I think the pandemic has shown some of the creepier ways in which employers are trying to [exert] control over their employees. And some limits should be placed on that, rather than it just being a free-for-all.

Why don't we have privacy legislation yet? It seems like in part we're arguing about what federal privacy legislation is supposed to look like. But in part, it just doesn't seem like anybody really cares.

Yeah, I don't think Americans believe in privacy universally. And it's not a constitutional right. It's like, we have a right to free speech, we have a right to bear arms, we don't have a right to privacy in our federal constitution. And you do have that in Europe. So I think it's always just battling against, "Well, what about my speech!" Americans just don't care as much.

In the meantime, what can you as general counsel at a tech company, or any tech company in general, do? It feels like something is inevitably going to happen in the next couple years. You don't want to build a whole privacy and data infrastructure that then becomes immediately outdated by this new system, but also doing nothing seems like a bad idea. How do you exist in this limbo?

I think the coolest thing about the GC community is a lot of GCs have started focusing on privacy. When I left my law firm way back when, I was like, "I'm gonna focus on privacy, you know, away from antitrust," and they were like: "That's not a big enough issue. We don't have privacy practice." And now they do. So fast forward a few years, and privacy has become a lot more top of mind in the legal community. So GCs, I think, have been thinking about setting up that GDPR framework in the U.S., and also these California laws. GCs are terrified of the California laws.

Protocol | Fintech

Jack Dorsey is so money: What Tidal and banking do for Square

Teaming up with Jay-Z's music streaming service may seem like a move done for flash, but it's ultimately all about the money (and Cash).

Jay-Z performs at the Tidal-X concert at the Barclays Center in Brooklyn in 2017.

Photo: Theo Wargo/Getty Images

It was a big week for Jack Dorsey, who started by turning heads in Wall Street, and then went Hollywood with an unexpected music-streaming deal.

Dorsey's payments company, Square, announced Monday that it now has an actual bank, Square Financial Services, which just got a charter approved. On Thursday, Dorsey announced Square was taking a majority stake in Tidal, the music-streaming service backed by Jay-Z, for $297 million.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

Sponsored Content

The future of computing at the edge: an interview with Intel’s Tom Lantzsch

An interview with Tom Lantzsch, SVP and GM, Internet of Things Group at Intel

An interview with Tom Lantzsch

Senior Vice President and General Manager of the Internet of Things Group (IoT) at Intel Corporation

Edge computing had been on the rise in the last 18 months – and accelerated amid the need for new applications to solve challenges created by the Covid-19 pandemic. Tom Lantzsch, Senior Vice President and General Manager of the Internet of Things Group (IoT) at Intel Corp., thinks there are more innovations to come – and wants technology leaders to think equally about data and the algorithms as critical differentiators.

In his role at Intel, Lantzsch leads the worldwide group of solutions architects across IoT market segments, including retail, banking, hospitality, education, industrial, transportation, smart cities and healthcare. And he's seen first-hand how artificial intelligence run at the edge can have a big impact on customers' success.

Protocol sat down with Lantzsch to talk about the challenges faced by companies seeking to move from the cloud to the edge; some of the surprising ways that Intel has found to help customers and the next big breakthrough in this space.

What are the biggest trends you are seeing with edge computing and IoT?

A few years ago, there was a notion that the edge was going to be a simplistic model, where we were going to have everything connected up into the cloud and all the compute was going to happen in the cloud. At Intel, we had a bit of a contrarian view. We thought much of the interesting compute was going to happen closer to where data was created. And we believed, at that time, that camera technology was going to be the driving force – that just the sheer amount of content that was created would be overwhelming to ship to the cloud – so we'd have to do compute at the edge. A few years later – that hypothesis is in action and we're seeing edge compute happen in a big way.

Keep Reading Show less
Saul Hudson
Saul Hudson has a deep knowledge of creating brand voice identity, especially in understanding and targeting messages in cutting-edge technologies. He enjoys commissioning, editing, writing, and business development, in helping companies to build passionate audiences and accelerate their growth. Hudson has reported from more than 30 countries, from war zones to boardrooms to presidential palaces. He has led multinational, multi-lingual teams and managed operations for hundreds of journalists. Hudson is a Managing Partner at Angle42, a strategic communications consultancy.
People

Google’s trying to build a more inclusive, less chaotic future of work

Javier Soltero, the VP of Workspace at Google, said time management is everything.

With everyone working in new places, Google believes time management is everything.

Image: Google

Javier Soltero was still pretty new to the G Suite team when the pandemic hit. Pretty quickly, everything about Google's hugely popular suite of work tools seemed to change. (It's not even called G Suite anymore, but rather Workspace.) And Soltero had to both guide his team through a new way of working and help them build the tools to guide billions of Workspace users.

This week, Soltero and his team announced a number of new Workspace features designed to help people manage their time, collaborate and get stuff done more effectively. It offered new tools for frontline workers to communicate better, more hardware for hybrid meetings, lots of Assistant and Calendar features to make planning easier and a picture-in-picture mode so people could be on Meet calls without really having to pay attention.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Transforming 2021

Blockchain, QR codes and your phone: the race to build vaccine passports

Digital verification systems could give people the freedom to work and travel. Here's how they could actually happen.

One day, you might not need to carry that physical passport around, either.

Photo: CommonPass

There will come a time, hopefully in the near future, when you'll feel comfortable getting on a plane again. You might even stop at the lounge at the airport, head to the regional office when you land and maybe even see a concert that evening. This seemingly distant reality will depend upon vaccine rollouts continuing on schedule, an open-sourced digital verification system and, amazingly, the blockchain.

Several countries around the world have begun to prepare for what comes after vaccinations. Swaths of the population will be vaccinated before others, but that hasn't stopped industries decimated by the pandemic from pioneering ways to get some people back to work and play. One of the most promising efforts is the idea of a "vaccine passport," which would allow individuals to show proof that they've been vaccinated against COVID-19 in a way that could be verified by businesses to allow them to travel, work or relax in public without a great fear of spreading the virus.

Keep Reading Show less
Mike Murphy

Mike Murphy ( @mcwm) is the director of special projects at Protocol, focusing on the industries being rapidly upended by technology and the companies disrupting incumbents. Previously, Mike was the technology editor at Quartz, where he frequently wrote on robotics, artificial intelligence, and consumer electronics.

Protocol | Enterprise

Can we talk? Microsoft unveils voice and text-chat service for developers.

Web and mobile developers will be able to use Azure Communication Services to let customers chat with service reps directly from their apps or web sites.

Microsoft is adding more communication services to Azure.

Photo: Microsoft

One year after the pandemic forced businesses to adapt in countless ways, the race to overhaul how they interact with their customers is starting to heat up.

Microsoft said Tuesday it would release Azure Communication Services into the wild this week, kicking off the first day of its Ignite virtual conference. The service, first introduced at the autumn version of Ignite last September, allows developers to embed voice, text chat, SMS or video capabilities into their applications.

Keep Reading Show less
Tom Krazit

Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET and paidContent, and served as executive editor of Gigaom and Structure.

Latest Stories