domaindetails.com
Knowledge Base/Security & Privacy/WHOIS Privacy After GDPR: What Changed? (2025 Guide)
Security & Privacy

WHOIS Privacy After GDPR: What Changed? (2025 Guide)

Learn how GDPR changed WHOIS data privacy. Understand what information is now hidden, who can access it, and how domain privacy works post-GDPR.

5 min
Published 2025-02-12
Updated 2025-11-15
By DomainDetails Team

What You'll Learn

  • How GDPR transformed WHOIS data privacy
  • What information is now hidden vs still public
  • How legitimate parties can still access data
  • What RDAP is and how it replaced traditional WHOIS
  • Implications for domain security and brand protection

What Changed After GDPR

The General Data Protection Regulation (GDPR), effective May 2018, dramatically changed WHOIS by requiring personal data to be redacted from public view for EU residents -- and in practice, most registrars now apply similar protections globally.

Before GDPR: All registrant contact info was publicly visible. Name, email, phone, address -- anyone could look it up freely. Privacy required paid services.

After GDPR: Personal data is redacted by default. Registrar contact information is shown instead of personal details. Privacy protection is essentially built into the system for most domains.

What Is Now Hidden

Redacted from public WHOIS:

  • Personal names (for individuals)
  • Email addresses
  • Phone numbers
  • Street addresses
  • Postal codes

Still publicly visible:

  • Domain name
  • Registrar name
  • Creation and expiration dates
  • Nameserver information
  • Domain status codes (EPP codes)

Gray areas: Organization names for businesses are often still visible. Country and state/province information varies by registrar.

Who Can Still Access Full Data?

GDPR does not eliminate access -- it restricts public access. Legitimate parties can still obtain full registrant data through formal requests:

  • Law enforcement -- with proper legal authority
  • Trademark holders -- for enforcement and UDRP proceedings
  • Security researchers -- for abuse investigation
  • ICANN compliance -- for regulatory purposes

The process requires contacting the registrar directly with a legitimate reason and appropriate documentation.

RDAP: The New WHOIS

RDAP (Registration Data Access Protocol) has replaced the traditional WHOIS protocol. Key differences:

Structured data: RDAP returns data in a standardized format (JSON), making it easier to process programmatically.

Tiered access: RDAP supports different access levels -- public queries see redacted data, while authenticated queries from authorized parties see more.

Better privacy: Built with GDPR compliance in mind, RDAP natively supports data redaction.

Referral system: RDAP can redirect queries to the appropriate registrar's RDAP service for the most current data.

Implications for Security Professionals

Brand protection is harder. Identifying domain squatters and trademark infringers requires formal data requests rather than simple WHOIS lookups. Monitoring services have become more important.

Phishing investigation is slower. Tracing malicious domains to their registrants now requires working through registrar channels with proper justification.

Security monitoring adapts. Tools like DomainDetails use RDAP for monitoring while working within the privacy framework, tracking changes to public data (nameservers, status codes, expiration dates) as security indicators.

What This Means for You

As a domain owner:

  • Your personal data is better protected than ever
  • Still use WHOIS privacy for an additional layer of protection
  • Business domains may have less protection than personal domains
  • Keep your registrar contact information accurate even though it is not public

As a security professional:

  • Use RDAP-based tools for domain research
  • Expect delays when requesting full registrant data
  • Monitor publicly available indicators (nameservers, status codes) for security changes
  • Work with registrars through proper channels for abuse investigation

Key Takeaways

  • GDPR (2018) transformed WHOIS by redacting personal data from public view by default
  • Personal names, emails, phones, and addresses are now hidden for most domains
  • Legitimate parties can still access data through formal requests to registrars
  • RDAP has replaced traditional WHOIS with structured, privacy-aware data access
  • Use WHOIS privacy in addition to GDPR protections for comprehensive coverage
  • Business domain data may be less protected than personal domain data

Next Steps

With privacy and account security covered, the next lesson introduces DNSSEC -- a protocol that protects the integrity of DNS responses and prevents attackers from redirecting your visitors to malicious sites.

Deep Dive

The following sections provide additional detail, examples, and reference material.

Key Takeaways

GDPR redacts personal WHOIS data by default for EU residents, hiding name, address, phone, and email from public view

Legitimate parties can still access full data through formal requests to registrars for legal, security, or trademark purposes

RDAP replaced traditional WHOIS with structured, tiered access system supporting both public and authenticated queries

WHOIS privacy services still recommended as they provide consistent global protection beyond GDPR requirements

Business domains less protected than personal—company information often remains visible under GDPR

Domain operations still function (transfers, disputes, enforcement) through proper channels despite data redaction

TLD-specific rules vary—ccTLDs follow local laws, gTLDs follow ICANN guidance with registrar implementation differences

What Changed After GDPR

Before GDPR (pre-May 2018):

  • All registrant contact info public
  • Name, address, phone, email visible
  • Anyone could lookup freely
  • Privacy required paid services

After GDPR (May 2018+):

  • Personal data redacted by default
  • Email, phone, address hidden
  • Registrar contact shown instead
  • EU residents especially protected

Example WHOIS transformation:

Before GDPR:

Registrant: John Smith
Email: [email protected]
Phone: +44 20 1234 5678
Address: 123 Main Street, London, UK

After GDPR:

Registrant: REDACTED FOR PRIVACY
Email: Please query registrar RDAP
Phone: REDACTED FOR PRIVACY
Address: REDACTED FOR PRIVACY

What Information Is Hidden

Now redacted from public WHOIS:

✅ Personal names (individuals) ✅ Email addresses (personal) ✅ Phone numbers ✅ Street addresses ✅ Postal codes (specific) ✅ Organization names (personal businesses)

Still public:

✓ Domain name ✓ Registrar name ✓ Creation/expiration dates ✓ Nameservers ✓ Domain status codes

Gray areas:

  • Organization names (corporate) - Often visible
  • Country - Sometimes visible
  • State/Province - Sometimes visible

Who Can Still Access Full WHOIS

Legitimate access parties:

Law enforcement: Police investigations, fraud cases, criminal activity

Intellectual property owners: Trademark disputes, copyright infringement, UDRP complaints

Cybersecurity researchers: Threat investigations, malware tracking, abuse reporting

Legal purposes: Lawsuits, discovery process, domain ownership verification

Access method: Request through registrar, RDAP protocol, legal process

RDAP: The GDPR-Compliant Alternative

RDAP (Registration Data Access Protocol) replaced WHOIS for structured access.

Key features:

  • JSON format
  • Tiered access
  • Redacted by default
  • Authentication possible
  • Consistent globally

How to use:

https://rdap.org/domain/yourdomain.com

Shows redacted info to public, full info to authorized parties.

WHOIS Privacy Services Still Needed?

Yes. Here's why:

Consistent protection globally ✓ All contact types hidden ✓ Business domains protected ✓ Additional security layerEmail forwarding without exposing real address ✓ Reduces spam further

GDPR limitations:

  • Only applies to EU residents
  • Only covers personal data
  • Business domains may not be protected
  • Varies by TLD/registrar

Best practice: Use WHOIS privacy even with GDPR

Cost: Free to $10/year

Impact on Domain Operations

Domain transfers: More complex, may require identity verification, EPP codes still work

Dispute resolution: UDRP still functions, complainants can access info through process

Trademark enforcement: Trademark holders can request info with legitimate interest

Abuse reporting: Report through registrar, law enforcement retains access

Different Rules by Domain Type

Generic TLDs (.com, .net, .org): Follow ICANN GDPR guidance, mostly redacted

Country code TLDs: Follow local laws, varies by country

.uk: Personal data redacted, follows UK GDPR .de: Strict privacy, minimal public data .us: Nexus requirements, some data visible

New gTLDs: Generally follow ICANN guidance

Business vs Personal Domains

Personal domains: Maximum GDPR protection, all personal data redacted

Business domains: Company name often visible, business address may show, less redaction

Recommendation: Businesses should still use privacy services for spam protection and controlled disclosure

How to Check Your WHOIS Status

Method 1: Online WHOIS Lookup

  • whois.domaintools.com
  • whois.icann.org
  • Your registrar's WHOIS tool

Method 2: Command Line

whois yourdomain.com

Method 3: RDAP Query

https://rdap.org/domain/yourdomain.com

Look for: Is personal info visible or says "REDACTED FOR PRIVACY"?

Enabling WHOIS Privacy

Steps:

  1. Log into registrar account
  2. Navigate to domain management
  3. Find "WHOIS Privacy" or "Domain Privacy"
  4. Enable/turn on
  5. Save changes
  6. Wait 24-48 hours for propagation
  7. Verify with WHOIS lookup

Registrars with free privacy:

  • Cloudflare
  • Porkbun
  • Namecheap
  • Hover
  • Squarespace Domains

Next Steps

Protect Your Domain:

  1. Check your WHOIS status: Run lookup on your domains
  2. Enable privacy if needed: Domain Privacy Protection Guide
  3. Secure your account: How to Protect Your Domain from Hijacking

Learn More:

  1. Understanding RDAP: RDAP vs WHOIS differences
  2. Domain security: Security Best Practices
  3. Privacy options: WHOIS Privacy vs Proxy Privacy

Domain owners concerned with privacy