This article is more than 1 year old

The gig (economy) is up: New California law upgrades Lyft, Uber, other app serfs to staff

Rules may blow up bug bounty upstarts, too

Analysis The California Senate has passed a new gig-economy law that may force app companies like Uber and Lyft to treat certain workers as employees rather than independent contractors.

The new law, AB5, is set to come into effect on January 1, and is likely to have a significant impact on the app economy, including on bug bounty platforms that share many of the same characteristics as the ride-sharing and food-delivery businesses that provoked the law in the first place.

Uber, at least, has indicated it will fight the law in an imaginative way. The biz said it merely "serves as a technology platform for several different types of digital marketplaces," and argued its cabbies are not core to its operation because they are simply customers of said marketplaces. Thus, Uber does not believe it is affected by the Golden State's legislation, and so it doesn't have to change any of its practices.

Knock-on effects

As the center of the United States’ gig economy, California, now armed with its fresh employment law, is likely to have a direct influence on other states – New York, Washington, and Oregon have already started pushing for or reviving similar legislation.

AB5 passed late on Tuesday by 29 votes to 11, and will progress to the Cali Assembly and the desk of Governor Gavin Newsom, both of which are expected to approve and sign the bill into law. The governor has been heavily lobbied by companies, including Uber, though he made it plain in an op-ed earlier this month that he intends to green light the legislation. Newsom said on Wednesday he will “continue negotiating” with labor unions and gig-economy companies to try to find a solution before the bill hits his desk.

"This law is intended to convert thousands of gig-economy workers to employees,” explained labor & employment partner Michael Droke of international law firm Dorsey & Whitney. “While Uber and Lyft come to mind, this law applies to any independent worker in California. Many industries rely on independent contractors to deliver products and services, from food delivery to software coding and design.”

He also warned that “all companies using independent contractors in California should review the relationship… Employers who knowingly violate the statute could be subject to criminal penalties.”

Contractual obligations

The law basically sets in stone a California Supreme Court decision last year that defined when somebody working for a company is an employee or working independently.

As an independent contractor, you are not entitled to a range of benefits including minimum wage, unemployment insurance, and other protections that you get as an employee. Those protections cost businesses roughly an additional 20-30 per cent per worker, and so they have been keen to avoid the additional financial burden.

But the Supreme Court, and now the California legislature, have stated that if a company decides how much its workers earn, and the job that they do is a core part of their business, they should be treated as employees and not contractors.

In the case of a company like Uber, what the workers do – drive cars – is the company’s entire business and so they will be obligated to treat them as employees. The company, and its rival Lyft, have lobbied heavily to be granted an exemption from the law – as many other groups including doctors, engineers, architects, fishermen and hair stylists have been allowed.

But legislators refused, leaving them and other groups including truckers and exotic dancers, uncertain of how to respond to the new law. Uber, Lyft and DoorDash have indicated that they intend to try to sidestep the law before it comes into force by pushing a ballot measure during the next election where California voters will be asked to approve an alternative measure. The companies have set aside $90m for the effort, but experts are doubtful of its likely success.

At least one million workers are expected to be impacted by the new law, reflecting the surge in online platforms that act as middlemen in a whole range of industries from ride-hailing to food-delivery, nail salons, construction, janitorial work and a wealth of other service industries. Many of those platforms were developed in response to the apparent success of companies like Uber.

Bugging out

One such industry that may be adversely impacted also hits the technology industry directly: bug bounty platforms. In recent years, a number of platforms, including Bugcrowd, HackerOne and Synack, have grown up to connect tech companies looking to find security holes in their products with a loose global community of hackers who can find and report bugs.

But, as Katie Moussouris, CEO of bug bounty specialists Lula Security, has pointed out, such platforms work in a very similar fashion to companies like Uber. Moussouris created Microsoft’s bug bounty program while an employee there, was closely involved in a similar program at the US Department of Defense, and also served as HackerOne’s chief policy officer.

“The whole bug bounty eco-system relies on gig-economy workers,” she explained to The Register. “Not just the bug hunters but also the people who triage reports to send only confirmed bugs to companies.”

Moussouris tells us that while at Microsoft, lawyers were so concerned that the design of their bug bounty program might break labor laws that they sought external legal advice from labor law specialists, which subsequently confirmed it could well be in violation.

Big tech companies have some employees that they pay to work on finding and fixing bugs full-time, so it is easy to argue the point that bug hunting represents a core part of their business. Bug bounty platforms also give clear criteria over the work product that they will pay for – which can be taken as directing work. And they pay people for their time and skills, as well as repeatedly refer to the “work” that the people that sign up to their platforms perform.


In addition, many bug hunters are required to sign non-disclosure agreements, often before they are even allowed to submit bug reports. And, if someone reports a bug that a bug bounty platform has seen before, they are not paid at all, meaning that they are not paid for the work they have carried out, raising minimum wage concerns.

Someone in an Uber ride

Uber, Lyft and DoorDash put $30m apiece into ballot battle fund to kill gig-economy employee benefits


In short, bug bounty platforms share many of the same characteristics of other gig-economy platforms that the California legislature has identified as requiring companies to hire workers as employees. A radical shake-up in the market may come as a result.

Moussouris is not concerned though. “There are have been bug bounty programs long before these platforms,” she tells us, “companies will just move to an in-house ticketing system. Microsoft and Google were examples of companies that run their own in house bug bounties that were around long before the gig econ platforms. The most useful aspect of these platforms has been payment processing; if [the tech industry] decides to invest resources into their bug bounty programs they could end up being more effective than now.”

We have asked Bugcrowd, HackerOnem, and Synack for their thoughts on the possible impact of AB5 on their business and will update this story if they get back to us. ®

More about


Send us news

Other stories you might like