WHOIS Privacy After GDPR: What's Hidden, What Isn't

The before times

WHOIS predates the modern web. The protocol (RFC 812, 1982; RFC 3912, 2004) was built when the network was a small enough community that publishing your name, address, phone number and email next to your domain registration was non-controversial — it was useful directory-style information that helped operators reach each other when something broke. ICANN inherited the policy in 1998 and the gTLD registrar contracts required it: every registrant's contact details, in clear text, in a publicly queryable database, indefinitely.

What worked for engineers in the 1980s did not survive the modern internet. By the 2010s WHOIS was an unending mine of personally identifiable information: domain spam, kidnap-for-ransom research, stalker tooling, and at the more mundane end every cold-call lead-gen vendor on Earth. Several attempts at reform — the GNSO's 2012 Expert Working Group, the registrar-level “privacy proxy” products at Namecheap and GoDaddy — chipped at the edges but didn't move the policy floor.

The GDPR collision

May 25, 2018: the General Data Protection Regulation goes into effect across the EU. Article 6 requires a lawful basis for any processing of personal data; Article 13 requires transparency about it; Article 17 grants a right to erasure. Publishing a registrant's name and address on the open internet because an old contract says so does not satisfy any of those.

ICANN scrambled. Their Temporary Specification for gTLD Registration Data went into effect the same day GDPR did and instructed every gTLD registrar to redact personal data from public WHOIS output. The same policy applies to every customer regardless of jurisdiction — it wasn't politically possible to maintain separate WHOIS responses for EU vs non-EU registrants, and the industry chose the easier path. The Temp Spec became the consensus policy EPDP Phase 1 in 2019, and it has run with only minor amendments since.

ccTLDs (.de, .fr, .uk, .nl, .se, …) sit outside ICANN's contractual reach and made their own independent moves. Several northern-European registries had already restricted display before 2018; the rest followed in the months after.

See it on real records

Three illustrative records — a large US corporate, an individual hobbyist, and a German ccTLD — in 2017 vs today. Flip between the pre- and post-GDPR views to watch the human-facing fields disappear.

Two practical takeaways: a large enterprise registrant still has its organisation name visible almost everywhere (companies are not natural persons under GDPR), so corporate ownership tracking via WHOIS is largely intact. A hobbyist or small operator gets full redaction, which is the biggest single privacy improvement of the past decade for anyone who ever wanted to register a domain without exposing their home address. And ccTLD registries — DENIC for .de in particular — went further than ICANN required and simply stopped publishing registrant data at all.

What survived

Plenty of WHOIS is still usefully public. The matrix below lists every field that used to appear in a gTLD WHOIS response and what its post-2018 status is — along with where the data is still accessible if you have a lawful basis to look.

The pattern: technical fields stay public, lifecycle metadata stays public, and everything that identifies a natural person becomes request-only. That is roughly the floor across all gTLDs. ccTLDs vary upwards — most have similar visibility for technical fields, but several show even less registrant data than ICANN requires.

The disclosure layer

Redaction does not mean the data is destroyed. It still lives at the registrar (and a copy at the registry). The replacement for “just look at WHOIS” is a layer of authenticated disclosure requests — and that layer has had a slow, contested rollout.

The current options for getting non-public data:

• RDAP (Registration Data Access Protocol). The modern, structured replacement for WHOIS — JSON over HTTPS, with proper authentication. The base level is public-data-only (same fields as redacted WHOIS), but registrars can serve a fuller record to clients with a verified purpose. Adoption of the access layer is uneven; most registrars still treat the public RDAP feed as equivalent to redacted WHOIS.
• Registrar-mediated contact forms. When the registrant has not opted into full disclosure, you go via the registrar's abuse contact. Many registrars run anonymized forwarder addresses (3a7f2b@privacy-protect.example) that proxy email to the registrant without revealing their real address.
• Law-enforcement / court-order pathway. Subpoenaable from the registrar with the right legal process. Substantially harder than typing whoisbut the recourse hasn't gone away — it has just become harder to abuse.
• ICANN's Registration Data Request Service (RDRS). Soft-launched in November 2023, the closest thing to a centralised disclosure portal. You make a request, ICANN routes it to the right registrar, the registrar decides. In its first year the request volume was modest and the fulfilment rate uneven.

The political negotiation behind the disclosure layer is still live in 2025: trademark holders, cybersecurity researchers, and law-enforcement agencies want a faster, more reliable path; privacy advocates and many registrars push back on the volume of routine queries.

What this changed in practice

• Spam volume against new-registration addresses dropped sharply. The single most-cited side effect: scraping the daily WHOIS dump for new registrations was a real, large-scale industry, and it stopped working overnight.
• Brand-protection workflows got slower. Trademark holders relied on WHOIS to identify cybersquatters and direct UDRP complaints at them. The information is still ultimately reachable, but the workflow now goes through registrar disclosure or RDRS.
• Security research adapted. The CTI community lost a casual investigation tool but gained a healthier baseline. Most malware-domain research now starts from passive DNS, certificate transparency, and registrar abuse channels.
• Privacy-by-default is the new normal. Even non-EU registrants typically get redacted WHOIS now; the industry decided one global policy was cheaper than two.