Our approach to whois after the GDPR
It is the first day after the GDPR is in full motion, and already we were reminded by a certain law firm that it is illegal to contain private data. Therefore I feel it is necessary I write this statement.
What we did have to change is our whois API and IP whois API (EOL in 2022).
For a long time, we haven’t even stored whois on our servers. That’s right. If you asked us the whois for whoapi.com, and then 5 seconds later, another user would ask that same whois, we would go and make the request again. Up until recently we never had a cached version of the whois. We never offered historical whois, nor were you able to purchase “an entire or partial whois database” from us. Never.
Since we did recently start to cache whois to improve speed and put less stress on the whois servers, we did end up having a small whois database. So here’s what we did to comply with the GDPR without waiting for ICANN or other domain registrars.
What we did to comply with GDPR on our whois API
- On the 18th of May we warned our clients of the upcoming changes if they were using our whois API and IP whois API
- On the 24th, we completely erased the before mentioned database containing whois information.
- On 25th we launched an updated whois API and IP whois API so that now it doesn’t display private data
- On 26th we reminded our clients that if they still have private data (especially originating from Europe) on their servers, they should consult with their legal department and probably destroy it like we have (and not to take this as a legal advice)
Today, if you make a whois request on our service, you will get some whois information like before (date of registration and expiration, nameservers, registrar name, etc), but not private data (email, phone number, name, etc.). This is retracted with the words “Disabled due to GDPR”. In essence, for us, GDPR was really simple. Simplified, if we couldn’t get the consent to work with the private data (which we couldn’t) we simply deleted it and ignored it. Case closed.
Furthermore, apart from whois, we do have Screenshot API, Domain Availability API, Blacklist API and several other APIs, so this clearly adds to the fact that we are not a WHOIS company, but an API company. So although GDPR and changes in the whois will affect our business we will continue to do business, here’s why.
Without disclosing sensitive information, I can share that a part of our clients isn’t interested in whois at all (remember, we have other APIs). Another part of our clients isn’t interested in private data within whois at all. (We’ve communicated this with them months ahead). And then we had a very small portion of clients interested in the private data. These will likely cancel their monthly subscription and terminate the contract, or they will keep using just the “non-private data”, because that’s all they can get and it is also helpful to them. So far, not a single client has unsubscribed, but we expect this to happen since we do have some cancellations every month.
No private data, even from outside of the EU
Let me reiterate once again the above statement. When I say “we don’t have any private data”, this doesn’t mean “we don’t have any EU private data”! It means we don’t have any private data, period! Whether the domain owner is in Australia, China, Japan, United States, or South Africa, we don’t show the email, name, address or phone number of that domain name owner. Why? Well, as much as this frustrates some of our potential clients, and they proceed to give money to our competitors, we feel that it is not ethically responsible to distribute millions of emails, phone numbers, and addresses to any marketing and sales individual that wants to spam domain name owners. At the end of the day, we sleep better.
We also feel that with GDPR, California Privacy Rights Act, and Brazil Data Privacy Act the writing is on the wall and the trend is clear. Contact details should only be obtained from the owner directly, with their permission. If this confuses you, please read about “Permission Marketing“.
To summarize, we currently don’t have s single piece of private data on our servers, other than those of our clients which we obtained their consent during the signup process. The whois information we distribute since 25th, does not contain any private data. Same as before, you need to signup if you want to access our services.
Founder and CEO of WhoAPI Inc. Goran Duskic is an internet entrepreneur since 2006. He co-founded and sold several online ventures, including a web hosting company.