Before 2018, registering a domain meant your name, address, phone number, and email were publicly searchable in the WHOIS database - the global directory of domain ownership. Anyone could look up who owned any domain in seconds. Marketers used it for prospecting. Spammers scraped it for email addresses. Bad actors used it to identify targets.
The General Data Protection Regulation changed that dramatically when it came into force in the European Union in May 2018. But the protection is not as complete or universal as many registrants assume.
What WHOIS Was Before GDPR
WHOIS is a protocol that domain registrars use to publish registration data. ICANN, the body that oversees the global domain name system, required registrars to collect accurate registrant contact information and make it publicly queryable. This was by design - accountability and contact information for domain owners was considered important for abuse reporting, intellectual property enforcement, and general transparency.
The practical result was that every domain registration created a permanent, publicly searchable record containing your personal details. Even privacy-conscious individuals who registered domains for personal projects had their home addresses in a database searchable by anyone with an internet connection.
What GDPR Changed
GDPR established that European residents have rights over their personal data, including the right to limit its public disclosure when there is no legitimate legal basis for publishing it. Registrars were faced with a conflict: ICANN required them to publish personal data, but EU law restricted them from doing so without consent.
The response across most of the registrar industry was to redact personal data from public WHOIS queries for EU registrants. Today, a WHOIS lookup on most generic top-level domains (.com, .net, .org, and others) returns redacted information - you see the registrar name, registration dates, and nameservers, but not the registrant's name, address, or contact details.
Legitimate parties with a legal basis to access the underlying data - law enforcement, intellectual property investigators - can still request it through a formal process. But casual public lookup no longer surfaces personal information for most registrants.
How .CA Domains Handle Privacy
The .CA domain, administered by CIRA (the Canadian Internet Registration Authority), operates under its own policy framework rather than ICANN's generic TLD rules. CIRA implemented its own WHOIS privacy framework that predates GDPR and reflects Canadian privacy law principles.
CIRA's registrant agreement requires accurate contact information, but CIRA limits what is published publicly. For .CA domains, registrant name and full contact details are not displayed in public WHOIS lookups in the same way they were for .com domains before GDPR. CIRA's policy is shaped by PIPEDA (and its successor legislation, the Consumer Privacy Protection Act) rather than GDPR directly.
Why You Should Still Enable Domain Privacy Protection
Given that GDPR has already redacted much of the public WHOIS data for many registrants, some people assume domain privacy protection is no longer necessary. That reasoning has gaps.
First, the redaction applies to EU registrants under GDPR. If you are a Canadian registrant registering a .com or other ICANN-governed domain, the legal basis for redacting your data may be less clear, and registrar practices vary.
Second, your information still exists in registrar databases. In the event of a legal dispute, a data breach at the registrar, or a jurisdiction where privacy protections are weaker, that data can surface.
Third, domain privacy protection typically replaces your contact information with the registrar's proxy information, meaning the protection is active at the point of collection - not just at the point of display.
Fourth, WHOIS is not the only way registrant data leaks. Domain transfers, historical WHOIS archive services, and screenshots of older lookups can expose data that was never redacted in the first place.
Domain privacy protection is inexpensive - often free or a few dollars per year - and there is no meaningful downside to enabling it. The few cases where someone has a legitimate reason to reach the domain owner are handled through proper channels. Enable it for every domain you register.
