Blog
What Happened to WHOIS Data After GDPR?
Written By Mian Fahad, WhoisFreaks Team Published: October 06, 2023, Last Updated: April 27, 2026
Blog
Written By Mian Fahad, WhoisFreaks Team Published: October 06, 2023, Last Updated: April 27, 2026
WHOIS privacy (also called domain privacy protection or WHOIS privacy protection) is a service offered by domain registrars that replaces a registrant's personal contact information in the public WHOIS database with generic proxy details. Instead of your name, address, phone number, and email appearing in public WHOIS records, the registrar's privacy service details appear in their place. The service forwards any legitimate communication to your actual contact details without exposing them publicly.
When you register a domain name, ICANN requires registrars to collect your name, address, phone number, and email address. Traditionally, that data was published publicly in the WHOIS database, visible to anyone running a lookup. WHOIS privacy protection is the mechanism that hides it.
The EU's General Data Protection Regulation (GDPR), which became enforceable on May 25, 2018, forced ICANN and domain registrars to rethink how registrant data gets handled. Registrars began redacting personal information by default for EU registrants, but GDPR's reach extended further: most registrars applied data redaction globally rather than maintaining separate systems per jurisdiction. The result is that most domains registered today already display "REDACTED FOR PRIVACY" in public WHOIS queries, regardless of whether the owner explicitly purchased a privacy service.
Then, on January 28, 2025, ICANN formally sunset WHOIS for gTLDs. The Registration Data Access Protocol (RDAP) became the required replacement, adding structured JSON responses, HTTPS encryption, and tiered access control that WHOIS never had.
This article explains what WHOIS privacy protection does, how GDPR changed the baseline for all registrants, and what the shift to RDAP means for security teams, domain owners, and anyone querying registration data today.
WHOIS database, at its core, includes details about domain ownership. It covers the domain owner's name, contact details, registration dates, and more. Historically, it has been a valuable resource for various purposes, such as identifying who register a domain, addressing technical issues, and combating online abuse.
The importance of WHOIS data lies in its ability to provide transparency in the world of domain registration. It offers insight into who operates a particular website.
With the GDPR in effect, concerns arose about collecting and publishing WHOIS data. The concern arose from the potential to disclose sensitive data and the risk of identity theft. The GDPR, designed to enhance data protection and privacy rights, imposed strict requirements on how entities handle personal data. This forced domain registrars and registries, under ICANN's purview, to analyze their practices on WHOIS data to ensure compliance.
ICANN introduced the Temporary Specification for gTLD Registration Data in direct response to GDPR. This specification gave domain registrars and registries a framework to align their WHOIS data practices with GDPR requirements. It includes guidelines for data redaction and defining legitimate interests in accessing WHOIS data.
Not all WHOIS data was redacted. The fields that do not qualify as personal data under GDPR still appear in public RDAP and WHOIS queries. For security teams, brand protection analysts, and domain investigators, understanding exactly what survives is what makes post-GDPR workflows functional.
Fields that remain publicly visible in most gTLD queries:
| Field | Publicly Visible? | Notes |
|---|---|---|
| Domain name | Yes | Always returned |
| Registrar name | Yes | ICANN-accredited registrar |
| Registrar IANA ID | Yes | Numeric registrar identifier |
| Registrar abuse contact | Yes | Required to remain public |
| Registration date | Yes | When the domain was first registered |
| Last updated date | Yes | Most recent modification timestamp |
| Expiry date | Yes | Domain renewal deadline |
| Nameservers | Yes | All delegated nameserver hostnames |
| Domain status codes | Yes | clientTransferProhibited, serverHold, etc. |
| DNSSEC status | Yes | Whether the domain is signed |
| Registrant name | Redacted for individuals | May still appear for organizations at some registrars |
| Registrant email | Redacted | Replaced with privacy proxy address or redacted string |
| Registrant phone | Redacted | Replaced with privacy proxy address or redacted string |
| Registrant postal address | Redacted | Replaced with privacy proxy address or redacted string |
| Technical Registrant Details | Redacted | Replaced with privacy proxy address or redacted string |
| Administrative Registrant Details | Redacted | Replaced with privacy proxy address or redacted string |
| Billing Registrant Details | Redacted | Replaced with privacy proxy address or redacted string |
ccTLD policies differ significantly. GDPR's redaction requirement applies to gTLD registrars under ICANN's framework. Country-code registries set their own rules. The .us registry requires registrant contact data for most non-personal domains. Germany's .de and Austria's .at registries frequently still show registrant name and city. Always check the specific ccTLD registry policy before assuming data is unavailable.
Business registrations are a separate case. GDPR protects natural persons, not legal entities. Some registrars continue to publish registrant organization name and business address when the registrant is a company. This varies by registrar and TLD, so treat it as possible rather than guaranteed.
For security investigations, the persistent technical fields are often sufficient as a starting point. Registration date patterns, shared nameserver infrastructure, and registrar concentration can reveal domain clusters even without personal contact data.
Run a live WHOIS query for any domain using the WhoisFreaks WHOIS Lookup to see exactly which fields your target domain currently returns.
WHOIS privacy protection is a domain registrar service that masks a registrant's personal contact data in the public WHOIS database. When a domain is registered without privacy protection, the registrant's name, organization, email address, phone number, and postal address appear publicly in WHOIS records. Any person or automated tool running a WHOIS query can see this data.
When privacy protection is enabled, the registrar replaces all personal fields with details belonging to a proxy or privacy service. A typical protected record looks like this:
| WHOIS Field | Without Privacy Protection | With Privacy Protection |
|---|---|---|
| Registrant Name | Jane Smith | REDACTED FOR PRIVACY |
| [email protected] | [email protected] | |
| Phone | +1 555 123 4567 | REDACTED FOR PRIVACY |
| Address | 123 Main St, New York, NY | Privacy Service PO Box, Redacted |
| Organization | Smith Consulting LLC | REDACTED FOR PRIVACY |
The registrar's privacy service still forwards legitimate messages (transfer approval notices, renewal reminders, abuse reports) to the actual registrant's email. The registrant's identity stays private from public queries while the domain still functions normally.
Redacted does not mean inaccessible. It means access is gated and requires a stated purpose.
ICANN RDRS
The Registration Data Request Service (RDRS) is ICANN's portal for verified parties to request non-public registrant data. It replaced the informal per-registrar email request process that was the only available route from 2018 to 2023.
Who qualifies to submit a request:
Requestors create a verified account at the ICANN portal, identify the domain, specify the data needed, and document the legitimate interest. Registrars review requests individually and are not required to fulfill everyone, but ICANN tracks compliance.
Registrar direct contact
For time-sensitive situations or registrars outside the RDRS system, contacting the registrar's abuse or legal team directly with documented purpose remains a valid route. Most ICANN-accredited registrars maintain a published abuse contact, which is required to appear in public WHOIS and RDAP output.
Historical WHOIS databases
WHOIS history archives preserve registration records captured before 2018 redaction took effect and at snapshot points throughout a domain's lifecycle. These records are publicly accessible without gated requests and are frequently useful for brand infringement investigations, fraud attribution, and domain provenance analysis. The WhoisFreaks WHOIS History API provides programmatic access to multi-year registration histories across millions of domains.
RDAP (Registration Data Access Protocol) is the formal replacement for the legacy WHOIS protocol for generic top-level domains. On January 28, 2025, ICANN made RDAP the required protocol for all gTLD registries and registrars, officially sunsetting WHOIS for that category of domains. WHOIS remains in use for some country-code TLDs, but for .com, .net, .org, and other gTLDs, RDAP is now the authoritative data source.
RDAP solves three problems WHOIS never could:
WHOIS returns free-form text that varies unpredictably across registrars. RDAP returns standardized JSON objects, which parse reliably in automated systems without custom per-registrar parsers.
WHOIS had no authentication layer: everyone received the same data, or no one did. RDAP supports differentiated access, returning redacted data to public queries and full data to verified parties through ICANN's Registration Data Request Service (RDRS). Authorized parties include law enforcement agencies, security researchers with verified credentials, and trademark holders pursuing UDRP proceedings.
WHOIS transmitted data in plaintext. RDAP uses HTTPS. RDAP also supports non-ASCII characters in domain names and contact fields, which WHOIS could not handle.
Research from M3AAWG and APWG documented measurable declines in security teams' ability to detect malicious domains following the Temporary Specification's data redaction requirements, citing extended investigation timelines and reduced access to registrant contact data.
GDPR changed the default for WHOIS data. Most personal registrant information is now redacted from public queries across gTLD registrations, whether or not the registrant purchased a privacy service. RDAP, the formal WHOIS replacement for gTLDs since January 28, 2025, introduced structured access, HTTPS encryption, and tiered data disclosure that the legacy WHOIS protocol was never designed to support.
For most domain owners, the practical takeaway is simple: WHOIS privacy protection remains worth enabling. GDPR gives you partial coverage that varies by registrar and TLD. A privacy service gives you explicit, consistent coverage at the registrar level, across jurisdictions, for both personal and business registrations.
For security teams querying registration data: public RDAP queries now return redacted results by default. Investigative access to full registrant data requires submitting a request through ICANN's RDRS portal. Factor that latency into incident response planning. For ongoing monitoring of new domain registrations matching brand keywords or threat patterns, WhoisFreaks domain monitoring alerts on new registrations using the fields that remain public, without requiring access to redacted contact data.
To query current WHOIS and RDAP data for any domain, use the WhoisFreaks WHOIS Lookup tool.
Discover essential insights on DNS poisoning and learn practical steps to safeguard your online presence. Read the article for vital protection tips.
9 min read
Learn how a DNS flooder can threaten your network security and discover practical measures to protect your systems. Read more to safeguard your network.
9 min read
Discover the essential role of DNS servers in internet functionality and learn how they enhance your online experience. Read the article for insights.
11 min read