Our approach to whois after the GDPR

It is the first day after the GDPR is in full motion, and already we were reminded by a certain law firm that it is illegal to contain private data. Therefore I feel it is necessary I write this statement.

First of all, I’ll completely disregard how our American and Indian competition was and is conducting business, and due to which they were also decimating us in market share. I’ll focus just on us, and how we handled whois. Also, this post is not about double opt-in on your newsletter or our privacy policy which we also reacted accordingly and notified our clients. Hint, we didn’t have to change our privacy policy or our terms of use. They were spot on.

What we did have to change is our whois API and IP whois API (EOL in 2022).

For a long time, we haven’t even stored whois on our servers. That’s right. If you asked us the whois for whoapi.com, and then 5 seconds later, another user would ask that same whois, we would go and make the request again. Up until recently we never had a cached version of the whois. We never offered historical whois, nor were you able to purchase “an entire or partial whois database” from us. Never.

Since we did recently start to cache whois to improve speed and put less stress on the whois servers, we did end up having a small whois database. So here’s what we did to comply with the GDPR without waiting for ICANN or other domain registrars.

What we did to comply with GDPR on our whois API

  1. On the 18th of May we warned our clients of the upcoming changes if they were using our whois API and IP whois API
  2. On the 24th, we completely erased the before mentioned database containing whois information.
  3. On 25th we launched an updated whois API and IP whois API so that now it doesn’t display private data
  4. On 26th we reminded our clients that if they still have private data (especially originating from Europe) on their servers, they should consult with their legal department and probably destroy it like we have (and not to take this as a legal advice)

Today, if you make a whois request on our service, you will get some whois information like before (date of registration and expiration, nameservers, registrar name, etc), but not private data (email, phone number, name, etc.). This is retracted with the words “Disabled due to GDPR”. In essence, for us, GDPR was really simple. Simplified, if we couldn’t get the consent to work with the private data (which we couldn’t) we simply deleted it and ignored it. Case closed.

Furthermore, apart from whois, we do have Screenshot API, Domain Availability API, Blacklist API and several other APIs, so this clearly adds to the fact that we are not a WHOIS company, but an API company. So although GDPR and changes in the whois will affect our business we will continue to do business, here’s why.

Without disclosing sensitive information, I can share that a part of our clients isn’t interested in whois at all (remember, we have other APIs). Another part of our clients isn’t interested in private data within whois at all. (We’ve communicated this with them months ahead). And then we had a very small portion of clients interested in the private data. These will likely cancel their monthly subscription and terminate the contract, or they will keep using just the “non-private data”, because that’s all they can get and it is also helpful to them. So far, not a single client has unsubscribed, but we expect this to happen since we do have some cancellations every month.

No private data, even from outside of the EU

Let me reiterate once again the above statement. When I say “we don’t have any private data”, this doesn’t mean “we don’t have any EU private data”! It means we don’t have any private data, period! Whether the domain owner is in Australia, China, Japan, United States, or South Africa, we don’t show the email, name, address or phone number of that domain name owner. Why? Well, as much as this frustrates some of our potential clients, and they proceed to give money to our competitors, we feel that it is not ethically responsible to distribute millions of emails, phone numbers, and addresses to any marketing and sales individual that wants to spam domain name owners. At the end of the day, we sleep better.

We also feel that with GDPR, California Privacy Rights Act, and Brazil Data Privacy Act the writing is on the wall and the trend is clear. Contact details should only be obtained from the owner directly, with their permission. If this confuses you, please read about “Permission Marketing“.


To summarize, we currently don’t have s single piece of private data on our servers, other than those of our clients which we obtained their consent during the signup process. The whois information we distribute since 25th, does not contain any private data. Same as before, you need to signup if you want to access our services.

Related Posts
What is a WHOIS API?

In case you were wondering what is a WHOIS API or WHOIS REST API, and what does it do, here’s Read more

39 reasons to signup on WhoAPI
WhoAPI API functions

If you ever wondered or missed the information on what exactly you can get by using WhoAPI, this is the Read more

New WhoAPI blog!
WhoAPI news

We are proud to introduce you with our new blog design. On this day, lets remind ourselves what Steve Jobs Read more

Google registrar sold google.com
google.com whois record

After finding out this morning what happened (thanks to Franko Rados and Domagoj Delimar), I rushed over to the post, Read more

WhoAPI Blog now opening on SSL

As you may see by reading this news, the WhoAPI blog is now completely opening on HTTPS (SSL). Earlier it Read more

Here’s what happened in 2015
WhoAPI background

As the year is coming to an end, the majority of people like to come up with new ideas and Read more

Founder and CEO of WhoAPI Inc. Goran Duskic is an internet entrepreneur since 2006. He co-founded and sold several online ventures, including a web hosting company.

Post a Comment