Why Is WHOIS Data Redacted? GDPR and ICANN Explained

WHOIS records went mostly blank in 2018 because of a collision between two forces: the European Union's General Data Protection Regulation, and ICANN's rules for the domain system. GDPR made it risky to publish a registrant's name, email, and address to the open internet without a legal basis. ICANN responded by requiring registrars to redact that personal data by default. The result is the "REDACTED FOR PRIVACY" lines you see today. For the full mechanics of how these lookups work, read WHOIS explained.

This was a genuine before-and-after moment. Pull up an old record from 2015 and you would often find a real name, a phone number, and a street address sitting in plain text. That openness is exactly what GDPR targeted. The redaction you now meet on almost every lookup, described step by step in WHOIS explained, is not a glitch or a paid privacy add-on; it is the baseline that ICANN's policy now mandates.

Pre-2018 versus today

Field	Before May 2018	After GDPR / Registration Data Policy
Registrant name	Usually public	Redacted by default
Registrant email	Public	Replaced with a relay or web form
Phone and postal address	Public	Redacted
Organization	Public	Often shown, especially for companies
Country / state	Public	Frequently still shown
Registrar	Public	Public
Creation / expiry dates	Public	Public
Name servers	Public	Public
Domain status codes	Public	Public

How GDPR forced the change

GDPR took effect on 25 May 2018 and applies to the personal data of people in the EU. Publishing that data globally, with no consent and no narrow purpose, sat badly against the regulation. Registrars faced real fines. Rather than let each company invent its own patchwork response, ICANN moved fast and issued a stopgap rule called the Temporary Specification for gTLD Registration Data, adopted in May 2018.

That temporary measure was always meant to be a placeholder. After years of community policy work, it was replaced by a permanent framework: the Registration Data Policy, which now governs what registrars and registries collect, what they publish, and what they hold back. The redaction rules are no longer an emergency patch; they are settled policy.

What stays visible, and why

The redaction is targeted, not total. Operational and non-personal fields remain public because the internet needs them to function and because they carry no personal-data risk. You can still see the registrar of record (so you know who to contact), the domain status codes (which reveal locks and pending transfers), the name servers, and the registration dates. Organization and country are commonly published, partly because a company name is not the same kind of personal data as an individual's home address.

How to request the redacted data

Hidden does not mean gone. Registrars still hold the full record; they just do not broadcast it. If you have a genuine reason to need the contact details, you can ask:

• Identify the registrar. It is listed in the public part of the record. That is your point of contact.
• Use the registrar's disclosure process. Most accredited registrars offer a request route, often through their abuse or legal contact, for parties with a legitimate interest.
• State your legitimate interest. Common grounds include a legal claim, trademark enforcement, fraud investigation, or a security incident tied to the domain. Vague curiosity will not clear the bar.
• Expect verification. Law enforcement and rights holders typically supply credentials or a legal basis; the registrar weighs your interest against the registrant's privacy.

For the email field specifically, many registrars publish a relay form so you can reach the owner without exposing their address. That covers a lot of routine contact without any formal request at all.

Redaction is not the same as a privacy service

One distinction trips people up. The GDPR-driven redaction described here is automatic and applies whether or not you pay for anything. A WHOIS privacy or proxy service is a separate, opt-in product where a third party's details replace yours in the record entirely. They overlap in effect (less of your data on display) but differ in mechanism and in who is named as the contact. The opt-in side is unpacked in WHOIS privacy explained.

If you want the modern, structured version of these lookups, the successor protocol is worth knowing too; see WHOIS vs RDAP for how RDAP handles access and redaction differently.

Curious what a real record shows for a domain you care about? Run a free WHOIS lookup at our home page and see exactly which fields are public and which are held back.