Nielsen, IRI, ListHub, Point2, IMS Health, and many more. There’s a long list of data-broker companies that have built a thriving business by collecting, packaging, and reselling data. So far, though, it’s difficult to find examples of IoT-based companies that have found success in packaging and selling IoT data.

Don’t let that fool you.

The market potential for IoT data brokerage, or “data as a service,” has yet to fully arrive, but it is looming thanks to the confluence of sensors, cloud computing, third-party data sources, and APIs. Like the rest of the IoT market, it will be big. Gartner predicts that “10% of organizations will have a highly profitable business unit specifically for productizing and commercializing their information assets.”⁴⁰

Principle 8: Through the Internet of Things, companies can collect an unprecedented volume and variety of data—the new “black gold”—which they will syndicate to create valuable new businesses and revenue streams.

In this chapter we will explore how the data you own is an essential element in any IoT strategy and how to walk the delicate line between monetization and protecting individual privacy.

Already we’re seeing smart-home companies selling IoT-generated data to advertisers or insurance companies, cargo ship transit and port arrival information being sold to financial trading companies, and building and appliance energy-consumption data being sold to utility companies. It’s a sophisticated business and a growing opportunity for companies in the midst of building and leveraging their IoT strategies. To get there, you’ll need to build your data assets strategically and offer others the ability to access these assets simply.

If you’re part of a company that’s even remotely interested in building a revenue stream around IoT data, now is the time to start planning. Setting yourself up to collect data through your products and services today will give you the assets you need to attack the IoT data market soon in the future.

Amazon—which, as already noted, is already using the Internet of Things to improve customer experiences, drive operational improvements, and build new business models (the IoT triple threat)—is so far holding off on announcing any serious IoT-data-broker plays.

That might seem strange in the face of their move-fast-and-break-things approach to other new markets. With drones, machine learning, and voice recognition, Bezos has played for the first-mover advantage, but a data business is ruled by different dynamics. There’s not much to be gained—and, frankly, a lot to lose—by jumping in before there are enough customers to support your business.

While the company bides its time, Amazon is likely to carry on collecting as much data as possible. When the right time does come, Amazon wants to be prepared to dive in. Or, if for some reason, Amazon decides it’s not strategic after all, the company will still be set up to use its data as it always has—to drive consumer experience through personal recommendations, personalization, and data-based advertising models.

THE SYNDICATION BUSINESS MODEL

Once you feel the time is right to dive into the data market, you’ll need a business model. The most popular approach to data sales is through syndication, the act of collecting, packaging, and selling access to data. Or, as the Harvard Business Review described it,

Syndication involves the sale of the same good to many customers, who then integrate it with other offerings and redistribute it…syndication is a radically different way of structuring business than anything that’s come before. It requires entrepreneurs and executives to rethink their strategies and reshape their organizations, to change the way they interact with customers and partner with other entities, and to pioneer new models for collecting revenues and earning profits. Those that best understand the dynamics of syndication—that are able to position themselves in the most lucrative nodes of syndication networks—will be the ones that thrive in the Internet era.⁴¹

Data brokers like Experian, Nielsen, and Dun & Bradstreet have all worn a firm path here, building large, successful businesses on some variation of the syndication model.

Over the years, the old-school syndication models they used have been upgraded by digital capabilities, progressing from distributing paper reports and CD-ROM-based data sets to APIs, which allow for the real-time integration of data and critical business systems.

Some IoT-based companies will use data syndication as their primary business model. For others, it will be just one of many revenue streams.

One early entrant to the IoT data sales industry is Inrix, a company based in Kirkland, Washington. Inrix’s core business is selling real-time traffic and automotive data to car manufacturers like Tesla and BMW. You can think of their business in two major chunks—sourcing the data and then selling the data.

On the sourcing side, they collect data from many places—cell phones, sensors in cars, commercial fleets, fleet management software companies, chipset manufacturers, public data sources such as roads with coiled sensors in them, and roadside RFID sensors.

Inrix then munges the data, combining and integrating disparate data streams to meet specific customer needs. Their primary business is in selling real-time traffic data to car manufacturers, which use the data to power their navigation systems. This data has a very short half-life—information about the amount of traffic on a road is really only valuable at the time that that traffic exists. Its value decays quickly.

Inrix also provides a range-prediction tool for electric vehicles, which uses algorithms to calculate a vehicle’s range on a given electric charge based on weather, road, and traffic conditions. It provides intermodal transportation data to power wayfinding calculations about driving, walking, and for public transportation. It even sells historical traffic information to public and infrastructure-planning companies that need detailed traffic-pattern data.

All of Inrix’s data is sourced from and accessed via APIs. Some of the companies Inrix sources data from are also data-as-a-service IoT-based businesses, such as chipset manufacturers and digital-map-data providers, primarily HERE and Tele Atlas.

In each of these cases, it has taken years of focus and investment to build and develop a data-brokering business model. This is important if you’re thinking about integrating data brokering or data syndication into your business. For companies not already in this space, creating this kind of long-term focus and patience will be the largest hurdle to breaking in.

In addition to direct syndication, there are also other indirect business models for working with data.

Some companies, like Google, use data to drive advertising. Google has collected immense amounts of information about the search habits and use cases of its customers. It won’t sell you that data directly, but it will sell you the insights that they’ve gleaned from it in the form of targeted, direct advertising.

Through Nest, a Google subsidiary, Google also sells insights about customers’ energy, appliance, and utility use to utility companies. The revenue potential of even this submarket is estimated in the hundreds of millions per year.⁴²

DATA-AS-A-SERVICE VIA APIS

If you’re thinking about building out a data market of your own, one of the most important decisions you’ll make is about how to distribute that information to others so that they can derive the most possible value from the data you’ve collected.

In nearly all cases, there’s really only one right approach here—using an API to allow technology developers to easily leverage your services and capabilities in real time.

Sometimes it’s the volume or veracity of your data that will make it valuable—a huge set of data about a customer’s search habits, for example, is likely more useful than just the last hour of that person’s search history. But oftentimes, as in the case of Inrix’s traffic data, it’s the real-time nature that will make your data most valuable to your customers. It’s the ability to see what is happening right now at any given time.

APIs allow you to incorporate data bought from someone else into your technology applications in real time. APIs are also a more operationally efficient way to share data. There are still a lot of data companies that distribute data via CD, for example. But with an API, you won’t need to add extra infrastructure or significantly more headcount to scale and distribute that data to more and more customers.

There are literally thousands of APIs that developers can access to leverage the capabilities of others. Sometimes the capability behind an API is some form of infrastructure, like cloud computing. Sometimes that capability is a transaction—companies can use APIs to manage their UPS shipments, for example. Sometimes it even integrates two or more products together. APIs are the infrastructural backbone that allows Amazon’s Alexa and Ford cars to send updates to one another.

One of the most interesting and robust categories you’ll find in IoT-enabled APIs is in weather data. That’s due mostly to the huge number of probes, buoys, gauges, and other instruments that have been deployed around the world to source real-time weather data. Those sensors act as the backbone for a growing group of companies providing data-as-a-service weather APIs.

Zappos, for example, uses a weather-based data-as-a-service API to deliver personalized weather-aware marketing and customer engagement ads and content. If it senses there’s a pattern of rain in your area, it might serve you an ad for rain boots.

“We want to make sure if it’s gonna rain in your neighborhood, how can we stay personal with you and show you something that’s relevant for you,” explained Lisa Archambault, Zappos’s head of demand generation, at a 2014 conference.⁴³

PRIVACY, OWNERSHIP, AND SECURITY: NAVIGATING THE WILD WEST OF DATA

The biggest risk—and the biggest opportunity—of the IoT data-brokerage business is its lack of regulation on privacy, data ownership, and security. We can start to get a sense of why this is by putting ourselves in the mind-set of a farmer.

As a farmer, there are plenty of things you’ll need to worry about—the prices of commodity products, the price of fuel, how to take care of your employees, the weather, how to sustain soil health, and safety are all on the list. That’s why companies like Climate Corporation have combed so much of American farmland for data and offer services help farmers track and maintain soil health.

But at the top of that list is a concern about who owns and profits from the data on your farm, crops, and productivity. According to a 2016 American Farm Bureau Federation survey,⁴⁴ 77 percent of respondents are “concerned about which entities can access their farm data, and whether it could be used for regulatory purposes.”⁴⁵

The lack of stable and well-understood regulation around data ownership, control, and monetization make data syndication a kind of wild, wild West.

With the fast-growing number of endpoint devices and IoT’s networked nature, securing the Internet of Things is perhaps the biggest threat to the promise of connected devices. Privacy, or the rights of individuals to understand, agree, or opt out of data collected about them, is another big one.

In the industrial and B2B IoT market, there are very few protocols and norms for negotiating and licensing data ownership. Individual deals often determine any rules and regulations between two companies around data processing and access. What few regulations there are can vary by geography and are dynamic.

The consumer segment, where data is collected from users of apps and products, is even more complex. Privacy and making consumer control transparent and easy-to-manage approaches are becoming a multi-front battle. This includes public policy and laws that are not advancing at the speed of technology and product capabilities. Autonomous cars are an example of where policy and laws are behind where the reality of the market is at.

Even the separation between the B2B and consumer markets is artificial and blurred. Data collected in employment situations is often subject to different interpretations and obligations. Who owns the data? Who profits from the data? Where do company priorities collide with individual rights and choices?

For example, if a construction company sells an insurance company data about workplace accidents and the physical well-being of its workers, could that insurance company use that information to approve or deny an individual’s health insurance application? How should that information be managed relative to the individual’s health and privacy rules?

• • •

LEGAL LANDSCAPE FOR PRIVACY—IT’S GETTING MORE COMPLEX

For companies in the data space, managing and protecting data privacy will be opaque, risky, and hard to evaluate. The very definition of privacy is situational, varying by country, industry, and context. It is also extremely personal, with significant volumes of private customer information at stake.

Getting privacy right will win you customers; getting it wrong could be a major blow to your business. In both consumer and industrial IoT businesses, it will be essential to create the processes and architecture up front that allow you to manage data privacy and react to evolving business and regulatory requirements and standards.

It’s helpful to think about privacy as a three-legged stool. The first leg of the stool is your privacy policy itself, shaped by legal and international policy inputs. The second is the impact of privacy on your business model and value proposition. The third leg of the stool is your internal process and architecture for managing and adapting your privacy strategy. Security is a complementary but separate topic.

From the business-model standpoint, privacy can be both a key design constraint and important aspect of flexibility. On one hand, data linked to individuals can be important to the features and capabilities of IoT-enabled business models, even in industrial cases. Think about IoT devices that track individual location and activity levels; facial, speech, or other security identification devices and capabilities; or authentication devices managing access to resources. On the other, companies may have their own reasons for using discretion in managing, transmitting, and retaining location data.

The third leg of the stool is made up of the processes needed to manage privacy, typically tied to data access and management processes, processes required to manage the commitments made in the privacy policies they commit to, and capabilities to report and prove compliance with legal obligations.

I have a client that is a legacy software company transitioning to an API-driven platform model. As we were developing the platform business strategy and impact to architecture, we discovered that geography-aware capabilities could be a clear differentiator for both the users of the solution, as well as for my client’s company. With geo-aware capabilities, users are able to specify business rules regarding the location and tracking of content to keep it within certain jurisdictions.

The de facto interpretation and approach to a company’s legal compliance accountabilities for privacy was that they were accountable to the jurisdiction in which the data was stored, not where users were located.

At the time, US companies were able to comply with all EU-country laws by self-certifying compliance with the Safe Harbor Privacy Principles.⁴⁶

Notice. Individuals must be informed that their data is being collected and about how it will be used.

    Choice. Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.

    Onward Transfer. Transfers of data to third parties may only occur to other organizations that follow adequate data-protection principles.

    Security. Reasonable efforts must be made to prevent loss of collected information.

    Data Integrity. Data must be relevant and reliable for the purpose it was collected for.

    Access. Individuals must be able to access information held about them and correct or delete it if it is inaccurate.

    Enforcement. There must be effective means of enforcing these rules.

This allowed US-based companies two critical operational benefits—first, they could transfer data to the United States without architecting geo-aware services. Secondly, they could easily comply with each EU country’s laws through one self-certification.

That was until Max Schrems came along. Schrems, an Austrian law student, decided to take on Facebook in a David versus Goliath legal battle after Snowden revealed that US agencies were reviewing European data that passed through US data centers. His goal was to prevent US companies from transporting EU citizens’ data outside the European Union.

Schrems’s lawsuit was successful, effectively invalidating Safe Harbor. Individual European countries can suspend data transfers if they (not the European Union) rule them a violation of individual privacy.

The implications of this to consumer and industrial IoT services are deep and dynamic. As Fortune’s David Meyer commented, “This isn’t just about Facebook—it could be very bad news for many U.S. multinationals with a European presence.”⁴⁷

For all companies in the data space, including your legal partner(s) as an integral part of the team is key. The stakes get higher if you’re planning to deploy to the European Union. But since security compliance can have a major impact on architecture design, I’d recommend all companies keep security at the forefront of their approach in early prototypes and pilots.

KEY QUESTIONS TO ADDRESS IN DEVELOPMENT OF PRIVACY STRATEGIES FOR IOT

1. What data and events will be collected that either independently or, when merged with others, can identify an individual?
2. Will this data be transferred and stored beyond the device to a central server or cloud storage?
3. Will the IoT devices and service be designed to operate internationally?
4. What geography and access-management capabilities are required, and how might these provide competitive differentiation?
5. What broader approaches should you be taking to protect your business from the downsides of any future regulations?

• • •

For companies considering the data-broker business, it will be essential to be both proactive and transparent about how you manage and regulate data.

The downside of twenty-six billion endpoints by 2020 is that there are twenty-six billion endpoints to secure, keep current, manage the operations of, and understand when illicit activity or breaches have happened. The security and operational management of IoT devices are both a major design and ongoing operational and security challenge. Building your security framework and requirements for prevention, detection, and recovery from the start is often referred to as “security by design.”

From the start, you should call on both internal and external legal help to develop your IoT strategy. This approach is known as “legal by design.” Like the more popular “security by design,” legal by design means recognizing the role that legal and security concerns play in the entire product-design life cycle. They cannot be separated or considered just as afterthoughts in the design process.

Specific requirements and quickly changing privacy obligations can be a risk to entering the market. But if you get out ahead of developing norms and legal standards from the start, that uncertainty and complexity can actually become a strategic advantage.

DEPLOYING AN IOT-DRIVEN DATA-BROKER BUSINESS

Hopefully you now see the huge possible upside of an IoT-driven data-broker business. You’re ready to dive in. What will you need to develop this asset? How should you move ahead?

First, you need to get clear on your strategy. What kinds of data assets could you best create through your business? What markets and clients would find this data valuable? What other contextual data could you bring in to enrich it and make it even more valuable? What might be your licensing or subscription approach? What possible legal or other conflicts might keep you from pursuing this opportunity? The first step of developing an IoT-driven data-broker business is to move from an opaque, high-level view of what your business could be to specific, real examples to bring clarity and definition.

Second, based on the strategy and use cases you decide to pursue, you’ll need to understand exactly how to make the data you collect as valuable as possible. What kind of processing would you need to do to on the raw data before you could sell it to others? What kind of parameters should you set around data collection? For your own use, you might only plan on collecting a subset of location, movement, or use data from your sensors, but, given the declining cost of collecting and storing data, it might be smart to collect more than you’d ever think you need. Sometime in the future, the fact that you’ve collected that data might create new opportunities and uses. Imagine you had a bunch of buoys out in the ocean. For personal purposes, you might only need to know if the water moves above or below certain temperatures, but you might find upon reflection that some portion of the market actually values the real-time temperature of the water. In that case, you’d need to make a quick pivot to collect the temperature of the water every fifteen seconds.

Third, you’ll need to build a background in the information-brokering business and a keen understanding of potential clients for your data. You’ll need to understand how to optimize value for these clients and develop actual go-to-market skills. How will you package this data? How will you approach the market? How will you develop new clients and service existing clients once you have them? In the case of the buoy company, for example, this might mean building out a marketing or sales team that understands how to approach the institutions and broader market that would be interested.

Fourth, you’ll need to install leadership focused on curating data as intellectual property (IP). Most organizations understand and value IP but don’t understand the value of data. Just as you value other kinds of IP in your business, you’ll need to develop expertise in managing data as a commercial asset.

Doug Hubbard is a consultant focused on applied-information economics. As he has explains, innovation teams that include the CIO or other IT leaders can “take raw information and turn it into a product…you need the equivalent of an actuary in IT.”⁴⁸ Design, technology, and brand are all examples of IP curated and valued by organizations. Data needs to be one of them. In so doing, you’ll naturally find ways to make that data more valuable.

And finally, you’ll need to determine pricing and licensing approaches. As with so many assets and values, the beauty of data is in the eye of the beholder. Determining the value of your product and how to price a potential data asset will take triangulation and experience, but there are a few steps to get you off on the right track.

1. Figure Out the Replacement Cost. If someone had to go build the data set, what would it take in terms of cost, time, and distraction?
2. Understand How the Data Might Be Used. If possible, do a “with the data” financial analysis and a “without the data” financial analysis.
3. Benchmark. Compare your data asset to others, and understand both their pricing and the value of the data.

These steps might seem unnecessary in a market that’s still young, but by diving in early, focusing on defining your product, and understanding the market and its value, you’ll be setting your company up to pounce on a huge opportunity.

There will be many entrants into the IoT data-syndication business. Only a few will find success. And, as with many things in business, timing will be everything.