The privacy fight is heading to the office

Vanessa Wu, Rippling's general counsel, talks about remote work, employee data and why privacy legislation needs to apply in the office.

The privacy fight is heading to the office
You can track employees working from home. But should you?
Photo: MHJ/Getty Images

Vanessa Wu said she first found out about Rippling, a fast-growing startup for managing employee data, because she was fascinated by password managers and thought Rippling had a nice one. But since she joined the company as its general counsel in 2019, she's found herself thinking about privacy on an even broader level.

Rippling's job is to store and share all of a company's data, from logins to payroll to employees' most personal information. That means Wu and her team are at the center of a burgeoning debate in the tech world over how, exactly, companies should use that data. Many are still figuring out what GDPR, CCPA, CPRA and the rest of the world's hodgepodge of privacy legislation mean for their business and internal processes.

Wu joined the Source Code Podcast to talk about Rippling's approach, privacy in the workplace, employers spying on their employees and more.

Subscribe to the show: Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | RSS

Below are excerpts from our interview, condensed and edited for length and clarity.

One thing I've heard you talk about a lot is the idea that there's a difference between HR data and employee data. Can you explain what you mean?

I think the "aha" moment, the secret sauce of Rippling, is saying: "Hey, so many business systems are built off of employee data. And that's what creates so much administrative pain for companies." It's the fact that they don't have a unified system for understanding all of their employee data or HR data. So what I mean by that is, if you are running payroll for somebody at your company, and that person gets married [or] has a kid, that changes their benefits, which changes their payroll, which historically was a whole team of people behind the scenes at whatever large company you're working at literally copying fields from spreadsheet to spreadsheet to make sure that your pay accounted for those differences and benefits deductions that you are going to have to pay.

And that's why it doesn't update automatically. You think it should, but it doesn't. And now we have a whole security component to it. When people leave your company, you don't want them to have access to all your confidential information. So you have to talk to IT [and] they have to manually deactivate each person because they no longer work at the company. And that's what Rippling is unifying. I think companies just haven't thought about it as one system: Using the employee data — the fact that they're employed, the fact that they've gotten a promotion, the fact that they're no longer with your company — to power all business systems. And from a privacy perspective, that's really cool. Because you can be really respectful of the data for each use case.

There's an interesting connection there between how you think about something like ad tech and something like employee data, because it's sort of the same thing, right? You're saying, "We are going to take a lot of information about you, we're going to put it all in one place and then we're going to figure out how to treat it usefully and responsibly." And it feels like you're actually sort of solving the same problem from two very different directions.

It's a super similar problem. And I think people don't usually think about it in that way. It just has different public connotations. I think with ad tech, some consumers maybe don't want all of their data linked together so that they can be shown ads on their phone versus their computer versus their TV. And they don't have a good understanding of why that's happening. (It's happening because advertisers are paying the money for that to happen.) Whereas the use case within a company with Rippling makes total sense. Yeah, of course you're going to share that employee data with a system like Rippling so that they can make sure that when someone leaves the company, they don't still have access to all of your systems, or so that when your employee has a kid, that all those benefits transition to payroll. Or when so-and-so is promoted, they suddenly have access to all the tools they need as a manager and the permissions associated with that.

So I think it's just more respectful of the data, because it's very logical. It's just that systems haven't been built with that broad range. Because it's difficult. Like [Rippling cofounder and CEO Parker Conrad] often says, we're building 10 companies at one time. That's our ultimate challenge. People build point solutions because it's a lot easier to wrap your head around building just payroll. There are a ton of public payroll companies with multibillion-dollar valuations. And for us, that's like one of the 10 other things we're building.

We've spent the last four years really reckoning with this personal privacy argument, in a lot of ways for the first time. But the question of how data is supposed to work at work really has not been a thing we've talked a lot about. I think recently we've talked about it more, with these things that log keystrokes when people are at home to make sure people are working, and wearables to track you and stuff. But have we ever actually had a broader conversation about employee data? Is this even a thing people are thinking about at all?

I don't think so. I thought that this year would be the year that we were going to talk about employee data, because the California Consumer Privacy Act went into effect at the beginning of the year with a one-year exemption for employee data. So the idea was that over the course of 2020, we're going to figure out how privacy worked with employee data. That has just been extended to 2022 because of the pandemic so no one's been able to think about it. And then there's the new ballot initiative on the books in California, the CPRA. That would extend that discussion on employee privacy and B2B privacy until 2023. So not only is it not being talked about, it's been extended out further and further into the future.

So where does that put you? Do you just have to guess where we're going to be in a couple of years as you're making decisions about things now?

I really look to Europe as the best guide. The U.S. is never going to adopt all the regulations that Europe does; we're a different country, we have a very different viewpoint on things like digital rights and privacy. But Europe always goes further, I think, than we will. So understanding where they are — and in the fact that we do plan to be a global business someday — that's the best way for us to kind of futureproof our business and understand how we can be respectful of employee data.

What do you take from GDPR as an interesting barometer for where the U.S. might go?

GDPR just is rooted in a couple of foundational principles, one of which is that you need to have a legal basis to process data — so you need to have some legal reason to have the data in the first place, and then you need to process it in the way that you're telling people. And that you should limit your use cases.

So, real example: I'm collecting a social security number from an employee — [a] pretty sensitive piece of data — so that I can feed it to your health insurance carrier and actually get you good benefits. That makes sense! But maybe I don't want you using my social security number to sell it to Experian, who's then going to data-broker that into the ad tech system, just because I'm employed with your company.

This concept isn't that novel, [the idea] that when you give your data to somebody ... they will do with it what they say they will do with it, and nothing more. And it's kind of crazy that that's the novel concept out of GDPR. But some companies are really well situated to do that, and other companies are not.

The big ad tech platforms of the past 10 years, like Google and Facebook and Amazon, do not subscribe to that policy of "when you give us your data, we only do with it what we've said we're going to do with it." That's totally antithetical to their platform model. But I was really attracted to Rippling because it's just sort of organically set up to do that and be respectful and be compliant with these GDPR principles.

I'm curious how you think about privacy in the world right now, more broadly. Every company I talk to is very much still reckoning with how to let people use personal machines, how to keep an eye on whether people are being productive versus respecting their space. "Should people have admin passwords on their computers?" is a question I keep getting from people. What's the most interesting stuff you're seeing?

I've read some of those same articles about people doing, like, keystroke monitoring, and it seems pretty invasive to me. I was a lawyer at a law firm first and we had to bill our time in six-minute increments, but as a result no one ever really monitored what you were doing because you just self-policed. If you weren't billing enough, you just weren't billing enough. And then the assumption is you're not working. That had a lot of downsides, but I think the flip side is there is a lot of flexibility and no one was ever like, "Are you in the office?" There wasn't this face-time requirement. Whereas I think about the bankers of the world, who put their jackets on their desk chair so their boss thinks they're in the office even if they're not, because face time is such an important thing. They're just sitting there to sit there.

I think the pandemic has kind of revealed everyone's worst fears and attributes in that sense. But it has also really highlighted it, too: Is it really necessary to be face-to-face with someone, even though you're doing no work, to still be a productive individual? And so I see a lot of those things as bad behavior, but hopefully the pandemic is helping people learn to get a little more trust. But I do think those tools and those practices should probably be more closely scrutinized.

The thing people in the U.S. don't realize, though, is that they don't really have rights to challenge those practices, except by not working at those employers. I would just personally like to see more attention to that, because I think some of those practices are pretty poor.

Employees have no leverage in this, right? In the same way that you sort of can't avoid Google, even if you'd like to.

Yeah, I think it's a power imbalance between the employer and employee, because we're very transactional about it in the U.S. It's like, "just go work somewhere else," whether or not that's truly a reality. I am personally all for additional employee privacy legislation. I think the pandemic has shown some of the creepier ways in which employers are trying to [exert] control over their employees. And some limits should be placed on that, rather than it just being a free-for-all.

Why don't we have privacy legislation yet? It seems like in part we're arguing about what federal privacy legislation is supposed to look like. But in part, it just doesn't seem like anybody really cares.

Yeah, I don't think Americans believe in privacy universally. And it's not a constitutional right. It's like, we have a right to free speech, we have a right to bear arms, we don't have a right to privacy in our federal constitution. And you do have that in Europe. So I think it's always just battling against, "Well, what about my speech!" Americans just don't care as much.

In the meantime, what can you as general counsel at a tech company, or any tech company in general, do? It feels like something is inevitably going to happen in the next couple years. You don't want to build a whole privacy and data infrastructure that then becomes immediately outdated by this new system, but also doing nothing seems like a bad idea. How do you exist in this limbo?

I think the coolest thing about the GC community is a lot of GCs have started focusing on privacy. When I left my law firm way back when, I was like, "I'm gonna focus on privacy, you know, away from antitrust," and they were like: "That's not a big enough issue. We don't have privacy practice." And now they do. So fast forward a few years, and privacy has become a lot more top of mind in the legal community. So GCs, I think, have been thinking about setting up that GDPR framework in the U.S., and also these California laws. GCs are terrified of the California laws.

With Andrew Bosworth, Facebook just appointed a metaverse CTO

The AR/VR executive isn't just putting a focus on Facebook's hardware efforts, but on a future without the big blue app.

Andrew Bosworth has led Facebook's hardware efforts. As the company's CTO, he's expected to put a major focus on the metaverse.

Photo: Christian Charisius/Getty Images

Facebook is getting ready for the metaverse: The company's decision to replace outgoing CTO Mike "Schrep" Schroepfer with hardware SVP Andrew "Boz" Bosworth is not only a signal that the company is committed to AR and VR for years to come; it also shows that Facebook execs see the metaverse as a foundational technology, with the potential to eventually replace current cash cows like the company's core "big blue" Facebook app.

Bosworth has been with Facebook since 2006 and is among Mark Zuckerberg's closest allies, but he's arguably gotten the most attention for leading the company's AR/VR and consumer hardware efforts.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.


Keep Reading Show less
Nasdaq
A technology company reimagining global capital markets and economies.
Protocol | Fintech

Here’s everything going wrong at Binance

Binance trades far more crypto than rivals like Coinbase and FTX. Its regulatory challenges and legal issues in the U.S., EU and China loom just as large.

Binance CEO Changpeng Zhao is overseeing a global crypto empire with global problems.

Photo: Akio Kon/Bloomberg via Getty Images

Binance, the largest global crypto exchange, has been hit by a raft of regulatory challenges worldwide that only seem to increase.

It's the biggest example of what worries regulators in crypto: unfettered investor access to a range of digital tokens finance officials have never heard of, without the traditional investor protections of regulated markets.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Protocol | Policy

Facebook’s scandals have obliterated any goodwill left in Congress

Lawmakers were supposed to wade into questions about Big Data's effect on competition. Instead, their vitriol at Facebook was unending.

Image: Alexander Shatov/Unsplash

In the wake of last week's damning series of reports about Facebook, senators at a hearing that was initially supposed to be about competition instead unleashed their ire on the firm, comparing it to Big Tobacco, suggesting it lied to Congress and all but accusing the social network of profiting off teens' anxiety and suicidal thoughts.

The bipartisan parade of fury on a politically salient issue lasted hours on Tuesday. Senators focused particularly on a Wall Street Journal report about the company's careful research into the corrosive effect of Instagram on young users' mental health. But the show, coming during a hearing that was supposed to examine the impact of Big Data on competition, was also the latest evidence that Congress' periodic fits of anger at tech companies and the way Facebook obsessively deflects can create a loop that gets in the way of what Washington actually wants to do.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

How tech is inventing better ways to read the internet

The market for read-later apps is heating up again, and the apps are much smarter this time.

The reading experience of the internet sucks. But some startups are trying to fix it.

Illustration: cihanterlan/Getty Images and Protocol

The internet, as a reading experience, is mostly terrible. The heavy pages riddled with ads and trackers, the unexpected pop-ups, the bespoke designs that in too many places end up broken. Over the years, many have tried to fix this problem — Google with AMP, Facebook with Instant Articles — and none have succeeded. It can often feel like things just keep getting worse.

Ben Springwater certainly felt like things were getting worse. In 2016, he was working at Nextdoor, lamenting with one of his colleagues, Rob Mackenzie, that reading on the internet was so complicated. The reading experience was part of the problem, but so was the internet's unlimited supply of stuff. "It completely boggles the mind that so much of this stuff is really excellent, this life-changing stuff we could read," Springwater said. But there's only so much time in the day. "So we have filters: We go to Twitter, we check the headlines or what comes into our inbox. But those decisions for most of us are really suboptimal, relative to the potential of what we could be reading."

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Latest Stories