Posted in:

Our approach to whois after the GDPR

It is the first day after the GDPR is in full motion, and already we were reminded by a certain law firm that it is illegal to contain private data. Therefore I feel it is necessary I write this statement.

First of all, I’ll completely disregard how our American and Indian competition was and is conducting business, and due to which they were also decimating us in market share. I’ll focus just on us, and how we handled whois. Also, this post is not about double opt-in on your newsletter or our privacy policy which we also reacted accordingly and notified our clients. Hint, we didn’t have to change our privacy policy or our terms of use. They were spot on.

What we did have to change is our whois API and IP whois API.

For a long time, we haven’t even stored whois on our servers. That’s right. If you asked us the whois for whoapi.com, and then 5 seconds later, another user would ask that same whois, we would go and make the request again. Up until recently we never had a cached version of the whois. We never offered historical whois, nor were you able to purchase “an entire or partial whois database” from us. Never.

Since we did recently start to cache whois to improve speed and put less stress on the whois servers, we did end up having a small whois database. So here’s what we did to comply with the GDPR without waiting for ICANN or other domain registrars.

What we did to comply with GDPR on our whois API

  1. On the 18th of May we warned our clients of the upcoming changes if they were using our whois API and IP whois API
  2. On the 24th, we completely erased the before mentioned database containing whois information.
  3. On 25th we launched an updated whois API and IP whois API so that now it doesn’t display private data
  4. On 26th we reminded our clients that if they still have private data (especially originating from Europe) on their servers, they should consult with their legal department and probably destroy it like we have (and not to take this as a legal advice)

Today, if you make a whois request on our service, you will get some whois information like before (date of registration and expiration, nameservers, registrar name, etc), but not private data (email, phone number, name, etc.). This is retracted with the words “Disabled due to GDPR”. In essence, for us, GDPR was really simple. Simplified, if we couldn’t get the consent to work with the private data (which we couldn’t) we simply deleted it and ignored it. Case closed.

Furthermore, apart from whois, we do have Screenshot API, Domain Availability API, Blacklist API and several other APIs, so this clearly adds to the fact that we are not a WHOIS company, but an API company. So although GDPR and changes in the whois will affect our business we will continue to do business, here’s why.

Without disclosing sensitive information, I can share that a part of our clients isn’t interested in whois at all (remember, we have other APIs). Another part of our clients isn’t interested in private data within whois at all. (We’ve communicated this with them months ahead). And then we had a very small portion of clients interested in the private data. These will likely cancel their monthly subscription and terminate the contract, or they will keep using just the “non-private data”, because that’s all they can get and it is also helpful to them. So far, not a single client has unsubscribed, but we expect this to happen since we do have some cancellations every month.

Summary

To summarize, we currently don’t have s single piece of private data on our servers, other than those of our clients which we obtained their consent during the signup process. The whois information we distribute since 25th, does not contain any private data. Same as before, you need to signup if you want to access our services.

 

Written by Goran Duskic

I am the founder and CEO at WhoAPI. Entrepreneur for more than a decade in the hosting and domain industry. Sold my previous company. 500 Startups and StartLabs alumni. Author of a white paper "Domain Disclosure: Dirty Dozen" and eBook "26 Fundraising Questions for Startups".

93 posts