Introduction

ICANN’s new Registration Data Policy (RDP), effective since August 21, 2025, establishes a unified and globally consistent framework for the collection, processing, publication, and disclosure of domain name registration data by registrars and registry operators. Replacing the temporary GDPR-related measures introduced in 2018, the RDP harmonizes data management practices across all gTLDs (generic Top-Level Domains) and ensures compliance with international personal data protection standards.

The policy clarifies the responsibilities of contracted parties with respect to data accuracy, security, and accountability, while strengthening transparency for legitimate disclosure requests through the Registration Data Request Service (RDRS), ICANN’s new system for accessing WHOIS data. Since 2018, access to certain personal data has been restricted or anonymized in the WHOIS database for domain names. In response to these restrictions, the RDRS was implemented to enable controlled, GDPR-compliant access to certain data masked by WHOIS. This is the first consensus policy to directly embed data protection principles within ICANN’s contractual ecosystem.

Key measures of the Registration Data Policy

Although the policy is detailed and technical, several major changes and obligations have been introduced for registrars and registry operators.

Data protection agreements and data processing specification

Registries and registrars must, where required by local law, enter into Data Protection Agreements to ensure that the processing of personal data complies with applicable regulations, including the GDPR.

The policy also introduces the Data Processing Specification (DPS), a contractual framework setting out the rules for processing “personal registration data” and defining the respective obligations of independent data controllers, including the conditions under which data may be collected, used, or transferred.

Minimal data collection and removal of certain contact roles

The new policy establishes a “minimum data set” model, under which registrars and registries may collect and retain only the data strictly necessary for registration operations and legal compliance.

Administrative, technical, and billing contact roles are no longer mandatory for most gTLDs, only the registrant contact remains required. Following the policy’s entry into force, registrars must delete data associated with these secondary contact roles.

Organization name as registrant: legal ownership recognition

When the “Organization / Company” field is filled out in the registrant contact information, that entity is now recognized as the Registered Name Holder, meaning the legal owner of the domain. If the field is left blank, the domain remains owned by the individual identified by first and last name. This clarification enhances legal certainty and reduces ownership disputes.

Disclosure criteria and registration data directory services (rdds)

The policy imposes stricter rules on the disclosure of registration data through Registration Data Directory Services (RDDS). It sets precise criteria to balance transparency, privacy, and legitimate data access.

It also revises the procedure for managing conflicts between disclosure obligations and data protection laws, while defining specific timelines for urgent lawful disclosure requests.

Implementation obligations and timeline

Registries and registrars were required to achieve full compliance by August 21, 2025. During the transition phase (from August 20, 2024 to August 20, 2025), they could adopt the policy in part or maintain certain aspects of the previous regime. ICANN and contracted parties must now adapt their systems, processes, and internal policies to ensure consistent and harmonized global implementation.

To learn more about online trademark protection strategies and the support our firm provides in light of these ICANN developments, we invite you to visit Dreyfus’s dedicated page.

policy timeline

Practical consequences and challenges

These changes entail a major technical and organizational overhaul. Registries and registrars must modernize their systems to integrate the minimum data model and remove outdated contact roles.

Contractual adjustments with third parties will also be necessary. External service providers involved in data management, such as WHOIS/RDAP operators, billing systems, or customer support, must be incorporated into data protection or processing agreements, in line with the Data Processing Specification (DPS).

A higher risk of ownership errors has also emerged: a registrant who mistakenly fills in the “Organization” field may inadvertently transfer legal ownership of the domain to an unintended entity. Registrars should therefore inform and educate their clients about this change.

The policy also introduces stricter limits on data marketing and bulk access. Mass access to registration data is now subject to tighter restrictions. Third parties wishing to use such data must comply with the Registration Data Marketing Restriction Policy, which defines precise usage conditions and prohibits unauthorized processing for commercial purposes.

All disclosure requests must be justified, documented, and handled within specific timeframes, strengthening accountability and traceability throughout the process. Finally, ICANN foresees regular compliance audits and inspections. Non-compliance may lead to corrective actions or sanctions.

Conclusion: key obligations under the new Registration Data Policy (RDP)

The RDP establishes a unified global framework aimed at reinforcing personal data protection, security, and transparency.

Key obligations for registries and registrars include:

  • Standardized data management: collection, processing, and publication in accordance with ICANN and GDPR standards.
  • Limited publication: only non-personal data may be made public via WHOIS/RDAP.
  • Controlled disclosure: all access requests must be justified, documented, and processed through a standardized procedure.
  • Data accuracy and reliability: regular verification and updating of registrant information.
  • Data retention and security: protection and storage for the minimum period defined by ICANN (typically two years).
  • Accountability and compliance: proper documentation, technical safeguards, and cooperation with ICANN audits.
  • Secure transfers: data updates and transmissions must follow ICANN-approved protocols.
  • Use of the RDRS: registrars are encouraged to rely on the Registration Data Request Service for handling disclosure requests efficiently.

The implementation of the RDP marks a shift toward a more harmonized and responsible model of data governance. Industry stakeholders must now balance legal compliance, operational efficiency, and privacy protection. A proactive approach, combining technical adaptation, contractual updates, and staff training, will be essential to strengthen trust within the global domain name ecosystem.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of attorneys specializing in Intellectual Property.

Nathalie Dreyfus with the support of the entire Dreyfus team

FAQ

1. Why was this policy adopted?
The RDP ensures that domain registration practices comply with global data protection laws, including the GDPR, while maintaining the level of transparency required for the stability of the domain name ecosystem. It establishes a uniform framework of accountability, security, and transparency for all registries and registrars.

2. Does the RDP affect domain name disputes (UDRP, URS, etc.)?
Indirectly, yes. Trademark owners or their representatives may find it more difficult to identify registrants quickly due to redacted personal data. However, the RDRS compensates for this by offering a structured channel to request the necessary information for dispute proceedings.

3. Do national data protection authorities (such as France’s CNIL) still play a role?
Yes. While the RDP provides a global framework, it does not override national data protection laws. In cases of conflict, local legislation prevails, particularly within the European Union, where the GDPR remains the primary legal standard.

4. Does the RDP affect the transparency of the public WHOIS?
Yes, but more exactly it redefines it. Raw WHOIS data is no longer universally accessible; instead, it is replaced by a selective and justified access model. The goal is to protect privacy while preserving the ability to combat misuse and cybercrime.

5. What are the next steps following the implementation of the RDP?
ICANN plans to conduct an implementation review in the second half of 2026. This assessment will evaluate the consistency of global deployment, identify operational challenges faced by registrars, and consider potential adjustments, particularly regarding the scope of the RDRS and alignment with regional data protection laws.