Before 2018, WHOIS lookups returned every domain registrant’s name, address, email, and phone number publicly. After GDPR, that became illegal in Europe. ICANN responded with a global redaction policy that still shapes domain due diligence today.
What changed
ICANN’s Temporary Specification (later codified) required registrars worldwide to:
- Mask the registrant’s name + email + address + phone from public WHOIS responses.
- Replace those fields with “Redacted for Privacy” or with a forwarding email address managed by the registrar.
- Maintain access for authorized third parties (law enforcement, IP attorneys, security researchers) via a request process.
The redaction is global, not just for EU registrants. The compliance cost of running two parallel systems would have been enormous, so registrars defaulted everyone to redacted.
What’s still public
- Registrar name
- Creation date (when the domain was first registered)
- Expiry date (when the current registration ends)
- Last updated date
- Nameservers
- Domain status flags (clientTransferProhibited, etc.)
These five give you enough to verify the domain is genuinely registered, see how long it’s been around, and know which registrar to contact for transfer.
How to request unredacted data
ICANN runs the Registration Data Request Service (RDRS) — a centralized portal for legitimate disclosure requests. You submit your request explaining the basis (IP infringement, fraud investigation, legal process) and the registrar reviews + decides.
Approval rates vary widely by registrar. Cloudflare and the privacy-focused providers approve sparingly; the larger commercial registrars (GoDaddy, Network Solutions) tend to be more responsive.
What this means for the domain market
Buying due diligence is harder. You can’t directly see who owns a domain you’re considering buying. Reverse-WHOIS tools (the kind that find every domain a person owns) have lost most of their utility.
Trademark enforcement is slower. UDRP filings are still possible, but identifying the right respondent now requires going through the registrar — adding days to every dispute.
Privacy services have collapsed in importance. Before 2018, paid WHOIS privacy was a $5-15/year add-on at most registrars. Today it’s redundant for most use cases — the default is already private.
The exceptions
Some TLDs and registrars still expose more data:
- Some ccTLDs (.us, .br, .ru) maintain pre-GDPR WHOIS exposure for local registrants.
- Business registrations at certain registrars expose the company name (not the contact’s personal data) on the theory that the company is the registrant.
- Old historical WHOIS records (cached by archives before 2018) still circulate via paid databases like DomainTools’ historical lookup.