Quick Answer
GDPR (General Data Protection Regulation), effective May 2018, dramatically changed WHOIS by requiring most personal data to be redacted from public view. Now, personal names, addresses, phone numbers, and emails are hidden for EU residents and often globally. Legitimate access requires formal requests through registrars. Businesses should still use WHOIS privacy services as extra protection beyond GDPR.
Key Takeaways
✓ GDPR redacts personal WHOIS data by default for EU residents, hiding name, address, phone, and email from public view
✓ Legitimate parties can still access full data through formal requests to registrars for legal, security, or trademark purposes
✓ RDAP replaced traditional WHOIS with structured, tiered access system supporting both public and authenticated queries
✓ WHOIS privacy services still recommended as they provide consistent global protection beyond GDPR requirements
✓ Business domains less protected than personal—company information often remains visible under GDPR
✓ Domain operations still function (transfers, disputes, enforcement) through proper channels despite data redaction
✓ TLD-specific rules vary—ccTLDs follow local laws, gTLDs follow ICANN guidance with registrar implementation differences
What Changed After GDPR
Before GDPR (pre-May 2018):
- All registrant contact info public
- Name, address, phone, email visible
- Anyone could lookup freely
- Privacy required paid services
After GDPR (May 2018+):
- Personal data redacted by default
- Email, phone, address hidden
- Registrar contact shown instead
- EU residents especially protected
Example WHOIS transformation:
Before GDPR:
Registrant: John Smith
Email: [email protected]
Phone: +44 20 1234 5678
Address: 123 Main Street, London, UK
After GDPR:
Registrant: REDACTED FOR PRIVACY
Email: Please query registrar RDAP
Phone: REDACTED FOR PRIVACY
Address: REDACTED FOR PRIVACY
What Information Is Hidden
Now redacted from public WHOIS:
✅ Personal names (individuals) ✅ Email addresses (personal) ✅ Phone numbers ✅ Street addresses ✅ Postal codes (specific) ✅ Organization names (personal businesses)
Still public:
✓ Domain name ✓ Registrar name ✓ Creation/expiration dates ✓ Nameservers ✓ Domain status codes
Gray areas:
- Organization names (corporate) - Often visible
- Country - Sometimes visible
- State/Province - Sometimes visible
Who Can Still Access Full WHOIS
Legitimate access parties:
Law enforcement: Police investigations, fraud cases, criminal activity
Intellectual property owners: Trademark disputes, copyright infringement, UDRP complaints
Cybersecurity researchers: Threat investigations, malware tracking, abuse reporting
Legal purposes: Lawsuits, discovery process, domain ownership verification
Access method: Request through registrar, RDAP protocol, legal process
RDAP: The GDPR-Compliant Alternative
RDAP (Registration Data Access Protocol) replaced WHOIS for structured access.
Key features:
- JSON format
- Tiered access
- Redacted by default
- Authentication possible
- Consistent globally
How to use:
https://rdap.org/domain/yourdomain.com
Shows redacted info to public, full info to authorized parties.
WHOIS Privacy Services Still Needed?
Yes. Here's why:
✓ Consistent protection globally ✓ All contact types hidden ✓ Business domains protected ✓ Additional security layer ✓ Email forwarding without exposing real address ✓ Reduces spam further
GDPR limitations:
- Only applies to EU residents
- Only covers personal data
- Business domains may not be protected
- Varies by TLD/registrar
Best practice: Use WHOIS privacy even with GDPR
Cost: Free to $10/year
Impact on Domain Operations
Domain transfers: More complex, may require identity verification, EPP codes still work
Dispute resolution: UDRP still functions, complainants can access info through process
Trademark enforcement: Trademark holders can request info with legitimate interest
Abuse reporting: Report through registrar, law enforcement retains access
Different Rules by Domain Type
Generic TLDs (.com, .net, .org): Follow ICANN GDPR guidance, mostly redacted
Country code TLDs: Follow local laws, varies by country
.uk: Personal data redacted, follows UK GDPR .de: Strict privacy, minimal public data .us: Nexus requirements, some data visible
New gTLDs: Generally follow ICANN guidance
Business vs Personal Domains
Personal domains: Maximum GDPR protection, all personal data redacted
Business domains: Company name often visible, business address may show, less redaction
Recommendation: Businesses should still use privacy services for spam protection and controlled disclosure
How to Check Your WHOIS Status
Method 1: Online WHOIS Lookup
- whois.domaintools.com
- whois.icann.org
- Your registrar's WHOIS tool
Method 2: Command Line
whois yourdomain.com
Method 3: RDAP Query
https://rdap.org/domain/yourdomain.com
Look for: Is personal info visible or says "REDACTED FOR PRIVACY"?
Enabling WHOIS Privacy
Steps:
- Log into registrar account
- Navigate to domain management
- Find "WHOIS Privacy" or "Domain Privacy"
- Enable/turn on
- Save changes
- Wait 24-48 hours for propagation
- Verify with WHOIS lookup
Registrars with free privacy:
- Cloudflare
- Porkbun
- Namecheap
- Hover
- Google Domains/Squarespace
Next Steps
Protect Your Domain:
- Check your WHOIS status: Run lookup on your domains
- Enable privacy if needed: Domain Privacy Protection Guide
- Secure your account: How to Protect Your Domain from Hijacking
Learn More:
- Understanding RDAP: RDAP vs WHOIS differences
- Domain security: Security Best Practices
- Privacy options: WHOIS Privacy vs Proxy Privacy
Domain owners concerned with privacy