GDPR walloped the domain industry in 2018.
[Editor’s note: this is the first in a series of articles covering the top stories of 2018. Many of the top posts this year are related, so I combined them into the top themes of the year.]
The top story of the year in the domain name business was GDPR. That’s short for General Data Protection Regulation, a new European Union law that took effect in May.
GDPR deals with privacy and data handling. Its most visible impact on the domain name industry is Whois. The law doesn’t directly address Whois information but many parties have interpreted it to mean that registrars and registries should not display personal information about domain name owners such as their name, address and phone number.
ICANN passed a temporary specification that allowed registrars to mask Whois information. Many registrars have taken this to the extreme, blocking all information from Whois other than dates and nameservers. No name. No email. No location.
Most registrars are still collecting this data. EPAG, a Tucows registrar, informed ICANN that it planned to stop collecting some information such as the non-registrant contacts (e.g. technical contacts). ICANN sued in German court to get an injunction but the courts denied its claims. The lawsuit wan’t particularly adversarial; while both parties think they’re right, what they really want is clarity on how GDPR will be interpreted.
GDPR applies to companies outside the EU but not to the personal information of non-EU citizens and residents, nor to businesses. Even though it doesn’t protect an American citizen in Texas, many registrars have treated all Whois records the same.
That’s not the case with the biggest registrar, however. GoDaddy (NYSE: GDDY) still displays information for non-EU customers. It only displays it on web-based Whois and not Port 43, which is a method of bulk and automated Whois lookups.
There are many practical implications of Whois going dark for many domains. For example, the old method of transferring a domain required the winning registrar to send an email to the domain registrant listed in Whois. That’s impossible when that information is obscured so a workaround was created.
It has also caused problems in the aftermarket. Marketplaces have implemented various procedures to verify domain ownership. Escrow companies have had to wait for confirmation that a domain is transferred. Buyers have less visibility into a domain’s chain of ownership. And UDRP providers have modified their workflow to account for Complainants filing cases against unknown parties. (Information in Whois is sometimes used to prove/disprove rights or legitimate interests in domains.)
There’s a big battle going on now to determine the future of Whois. Will Whois data slim down? Can certain parties get access to non-public data? Stay tuned.