Imagine a customer complains to you about a product they purchased online from YOURBRAND.COM. Only you don’t own this domain name, and the problematic product is a counterfeit. You need this website to be shut down immediately. In the past, your first move may have been to locate the owner of the website, using WHOIS, the protocol used to query registrar databases for domain name ownership information. However, now when you go to WHOIS, the registrant’s information is missing, other than a jumble of numbers and letters for an email address and the registrant’s country. This is the post-WHOIS blackout world, which began on approximately May 25, 2018, concurrent with the effective date of the EU’s General Data Protection Regulation (GDPR). The GDPR is intended to protect individuals’ privacy by addressing the collection and processing of personal data of European Union citizens. However, the GDPR has far-reaching, extraterritorial ramifications for registrars (e.g., GoDaddy and Register.com) who serve EU citizens. Because revealing domain name registrants’ personal information is in direct conflict with the GDPR, many registrars have limited the availability of all customers’ contact information.
If WHOIS does not reveal the YOURBRAND.COM’s owner, you may be able to locate the registrant through the website associated with the domain name. Some websites may reveal the domain name owner in the “About Us” or “Contact Us” pages, or in the website terms of use or privacy policy. The registrant may also sometimes be identified through a related social media page, such as Facebook, Instagram or Twitter. Finally, some third parties, such as DomainTools, have made historical WHOIS data available.
Another possibility is to attempt to contact the domain name registrant using the “anonymized” email address that appears in the WHOIS results or to contact the registrar directly to request disclosure of the registrant’s information. According to ICANN’s Temporary Specification for gTLD Registration Data, a temporary measure intended to harmonize the GDPR with individuals’ legitimate need for the release of domain name registrants’ information, “registrar and registry operators MUST provide reasonable access to personal data in registration data to third parties on the basis of a legitimate interest [ ] pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the registered name Holder or data subject pursuant to Article 6(1)(f) GDPR.” That said, registrars and registry operators do not have a standardized approach in how such requests should be made, and what a requestor must demonstrate for the registrant’s information to be disclosed. In many cases, the registrars and registry operators simply refuse to provide such information.
Fortunately, there are means to address cybersquatting even if you cannot locate a domain name registrant. For example, you can bring an in rem action under the Anticybersquatting Consumer Protection Act (ACPA), 15 U.S.C. § 1125(d), which can lead to forfeiture, cancellation or transfer of the domain name. Alternatively, you can initiate an action under the Uniform Domain Name Dispute Resolution Policy (UDRP) and Uniform Rapid Suspension (URS), both of which are lower-cost alternatives to federal court actions for recovering infringing domain names. According to the World Intellectual Property Organization (WIPO), one of the administrative tribunals that handles UDRP and URS proceedings, a complaint will be accepted provided it contains all available registrant information, even if it does not identify the registrant.
While it is more a challenge to address cybersquatting now that registrant information is more difficult to locate, there are still options. Plus, things will hopefully get better. ICANN has launched an Expedited Policy Development Process (EPDP) to develop a permanent policy for WHOIS data collection, processing, and access, which is intended to replace the Temporary Specification. The group has found that there are legitimate interests in WHOIS data for parties other than ICANN, registries, and registrars, such as law enforcement and trademark owners.
While the EPDP is meeting weekly to reach a consensus on the various issues involved in balancing privacy interests with intellectual property owners’ need for enforcement, EPDP members are not currently in agreement on a policy for access to WHOIS data and it may take some time for a consensus to be reached, perhaps a year or more.
Despite the uncertainty, we believe the recognition of trademark owners’ need for domain name registrant data is a promising development, and will hopefully result in a permanent solution that will provide trademark owners consistent and reliable access to non-public information about domain name registrants.