GDPR (2018) forced ICANN to redact personal WHOIS data for EU registrants. Now standard globally. 91% of domains show privacy-protected WHOIS even without paid privacy service.
Pre-GDPR vs Post-GDPR
Before 2018: All registrant details (name, address, phone, email) publicly visible in WHOIS. After 2018: Personal data redacted by default. Corporate registrations still show company details.
What GDPR Protects
Individual registrants (personal domains, sole traders) get automatic WHOIS data redaction. Company registrations (Ltd, PLC, LLC, GmbH) may still show corporate address and contact in some registries.
Verification Process
Registrar checks: Individual or organization? If individual, redact. If organization, show corporate details (since companies are public entities). Some registrars redact all by default.
CCPA (California)
California Consumer Privacy Act applies to US registrants. Similar to GDPR but weaker. Registrants can request WHOIS data deletion. Most US registrars now redact by default following GDPR precedent.
Corporate vs personal: Register domain as individual? Get privacy. Register as Ltd company? Company name and registered office may appear in WHOIS (already public at Companies House).
Tiered Access Model
ICANN implemented tiered WHOIS access post-GDPR. Tier 1 (public): Redacted data. Tier 2 (verified requesters): Law enforcement, IP lawyers can request unredacted data with legitimate reason.
Registrar Privacy Services
Still relevant post-GDPR. Replaces your email with proxy. Public WHOIS shows "privacy@registrar.com" instead of nothing. Forwards legitimate contacts. Filters spam.
Cost Post-GDPR
Many registrars now include free (since GDPR mandates baseline protection anyway). Paid privacy (£3-8/year) adds email forwarding and enhanced proxy features.
Geographic Variations
EU/UK: Strong default protection. US: Voluntary (most adopt GDPR standards). China: No privacy (government requires full public records). Russia: Selective (depends on TLD).
ccTLD Differences
.com/.net/.org: ICANN-regulated, GDPR-compliant redaction. .de: Always public (German registry policy). .uk: Nominet redacts personal data. .cn: Fully public. Check specific ccTLD policy.
.de domain paradox: Germany has strongest privacy laws in EU, but .de WHOIS is public by registry choice. Register .de as company to avoid home address exposure.
Legitimate Interest Disclosure
Trademark dispute, legal action, law enforcement investigation = registrar may disclose your data to requester. Privacy protection doesn't shield against court orders or valid UDRP proceedings.
Email Forwarding
Privacy service shows proxy email in WHOIS. Legitimate senders (domain sale offers, legal notices) email proxy. Registrar forwards to your real email. You never expose real address.
Opt-Out Options
Some registrants want public WHOIS (makes business look established). Can opt out of privacy/redaction if desired. Not recommended unless corporate registration.
Compliance for Businesses
If processing customer domains (hosting company, registrar, privacy service), you're data controller under GDPR. Need: data processing agreement, legitimate interest basis, data retention policy.
Trademark Lens checks domain availability before registration - enable WHOIS privacy immediately after purchase to ensure GDPR-compliant data protection from day one.