Beginner
Lesson 7 of 20 · ~7 min

Privacy and proxy services

What WHOIS privacy hides, what it does not, and the GDPR redaction reality that already does a lot of the work for free on common gTLDs.

A lot of clients believe domain privacy services make them anonymous. They don’t. The registry still has the real contact data; the proxy substitutes a generic placeholder in public WHOIS / RDAP responses. Acting on the wrong belief leads to two specific problems: clients who think privacy protects them from a trademark complaint or a legal subpoena and learn the hard way that it doesn’t, and clients who pay for privacy on a TLD that doesn’t support it (the upsell at the registrar is silently inactive).

Knowing what privacy actually does is a 30-second client conversation that prevents both.

What privacy does vs what it doesn’t

What privacy DOESWhat privacy DOES NOT
Substitute the proxy organisation’s details in public WHOIS / RDAP responsesChange the registrant of record (the legal owner stays the same)
Substitute a proxy-routed email that forwards or filters to the real registrantBlock legal processes; subpoenas, UDRP, and trademark complaints pierce the proxy
Hide individual contact data from spam harvesters and casual lookupsApply to all TLDs; several ccTLDs disallow it
Add per-domain identity separation if the registrant runs many domainsHide data from the registry or the registrar; both still hold the real contacts

The registry still has the real registrant data. So does the registrar. The proxy substitution only affects what shows up in public lookups.

The post-GDPR redaction reality

After GDPR (2018), most public WHOIS / RDAP responses for the common gTLDs (.com, .net, .org, the new gTLDs) redact individual contact data by default. Fields show REDACTED FOR PRIVACY or similar. Organisation registrants (named companies) typically still appear in full, but individual registrants are largely hidden.

The practical consequence: for individual registrants on .com and its peers, the privacy upsell from the registrar duplicates what GDPR redaction already does for free. The proxy still offers something on top (a single forwarding email instead of an opaque contact-form link, or per-domain identity separation), but the dramatic before-and-after of pre-GDPR WHOIS is gone.

ccTLDs vary. Some show full data for everyone, some redact aggressively. Know which TLD you’re looking at.

Two questions before selling privacy
  1. Does this TLD support it? Default yes for .com / .net / .org / most new gTLDs. Check the registry’s policy for ccTLDs (.com.au and several others disallow it; the registrar’s upsell may silently no-op).
  2. Is the client’s contact data already redacted by GDPR? For individuals on common gTLDs, yes. The privacy upsell adds limited extra value over the baseline redaction. For organisations and for ccTLDs that show data in full, privacy provides more.

What this is NOT

  • “Privacy makes the domain anonymous.” The registry and registrar still have the real data. Anonymity in the colloquial sense is not what’s on offer; substitution in the public lookup is.
  • “Privacy protects from lawsuits.” Privacy is a presentation feature, not a legal one. Subpoenas, UDRP complaints, and court orders pierce the proxy.
  • “All TLDs support privacy.” Several ccTLDs disallow it. Check the registry’s policy before selling privacy on a non-gTLD.

Decision walkthrough

What do you do first?
A small-business client emails: 'I'm starting to get harassed in the comments on my website. The harasser keeps mentioning my home address; they must have looked it up in WHOIS. Can you turn on domain privacy to fix this?'
Before you change anything at the registrar, what do you do?

What to do next

Treat the privacy upsell as a presentation layer. Ask the two questions in the Callout above before adding it. When a client asks if privacy hides them from legal processes, the answer is no, and they probably need legal advice rather than a stronger privacy product.

Next lesson