“GoDaddy cares about your privacy. For this reason, we collect and use personal data only as it might be needed for us to deliver to you our world-class products, services, websites, and mobile applications.”
The above is a direct quote from GoDaddy’s privacy policy, and a fair statement to make in terms of the use of your personal data. That is, until you register a domain with the company.
Wherever it is you’re situated, GoDaddy asks for users to pay for privacy protection. With privacy being a fundamental right to us all, it seems distasteful that a large domain registrar would charge a fee for this.
With the recent introduction of GDPR – and the upcoming CCPA law in California – I wanted to take a deeper look at GoDaddy’s business practices regarding data privacy and protection.
Paying for WHOIS protection
Depending on your location, GoDaddy may encourage the sale of WHOIS protection. This, essentially translates to you paying for the protection of your privacy.
For those located outside of the EU without WHOIS protection, it could result in personal data being made publicly available on the WHOIS database.
It seems as though, for European customers, privacy rights are better enforced. If you order from the UK or any other EU country, you are not required to pay to make your data private in the WHOIS database.
This is included in the Basic Privacy Protection plan that GoDaddy offer. If you order from the US or any other non-European country in the world, GoDaddy will, by default, encourage you to pay a fee to make your personal data private. If you select ‘No Thanks’, you will have your personal data made publicly available on the WHOIS database.
However, since the protection of personal data is only included for EU users, I assume that GoDaddy follows a minimally viable privacy program, prioritizing commercial interest over basic privacy rights of international users.
For instance, GoDaddy chooses to pre-select ‘Full Domain Privacy & Protection’ to EU users, whilst the ‘Basic Privacy Protection’ option is enough to ensure your personal data is kept private in the WHOIS database. Surely, a pre-selected ‘No thanks’ would be sufficient enough?
What is WHOIS and why is it important?
WHOIS may look like an acronym, but it is actually a collection of information that relates to the owner of a domain. This information includes the owner’s full name, email address, physical address, phone number, and administrative and technical contacts.
All of this personal information is made publicly available for the world to see, including identity thieves, spammers and more threats.
If you do not wish to have this information readily available, registrars can hide this for a fee. This works by replacing your personal information with information about their company.
Should we hide WHOIS information?
To ensure the safety and protection of personal data, many domain owners decide to keep their WHOIS information hidden. Some reasons include:
- Protecting your Identity
Anybody with an internet connection will be able to access your personal data, including your name, address, email address, and phone number. It makes sense to protect this information in order to avoid personal data abuse and identity theft.
- Hiding your Location
If you are running an eCommerce store from your home, you may experience customers appearing at your door or calling you at your private phone number. Whether they were unhappy by your products or they wanted to check out “the brick and mortar store” that actually doesn’t exist, it is not a pleasant experience.
- Avoiding Unwanted Offers
Domain flippers (people who buy and sell domains) use the WHOIS databases to pick on domain names they would be interested in buying. By keeping your contact information hidden, you can prevent persistent unwanted offers for your domain
- Avoiding Spammers
Similarly, spammers won’t ask for consent to send you constant offers and promotions that are both annoying and unwanted. Spammers scrape data from the WHOIS database and fill inboxes with unsolicited email, and so by keeping your data hidden, you are minimizing the chance of spammers getting a hold of your contact information.
It is worth mentioning that the publishing of personal information in the WHOIS database, in the current form, is illegal under the GDPR. The mere act of publishing the personal information is considered to be ‘data processing’.
Domain registrars, such as GoDaddy and others, are data processors. ICANN, the organization governing the WHOIS database, is the data controller. When collecting personal data, both the data processor and data controller have a shared responsibility. However, the requirements are much tougher on the data controller – being ICANN in this case.
While not explicitly the focus of this article, a number of high profile court cases are ruling against ICANN, the organization behind WHOIS.
What GoDaddy and domain registrars should be doing in terms of privacy
Whilst GoDaddy’s WHOIS privacy practice is on the right edge of lawfulness, it is less than ideal for several reasons:
- Privacy is a Fundamental Human Right
Of course, this is not a new idea. Privacy has been a basic right long before GDPR and other global privacy laws. The fact that GoDaddy aims to make a profit by charging people for basic privacy protection seems unethical.
- More Data Privacy Scandals
The rapid technological progress in the last decade, coupled with several data breach scandals, has raised awareness regarding data protection. This has caused massive change in privacy laws all around the world. Therefore, charging a fee for a full privacy protection is not in line with the most recent developments in data protection laws.
- Someone will Lead by Example
Being one of the largest domain registrars out there, GoDaddy has the opportunity to lead the privacy movement by example. They don’t have to wait for the introduction of new rigorous laws to raise the bar of privacy protection.
It’s safe to say that they have the tools in their hands to show how the protection of personal information is being done. However, they have chosen to charge fees instead.
- A Loss of Trust
Those worried about their privacy may opt to register a domain name with other registrars. There are plenty of smaller companies who claim to believe that privacy should be free; hence they’ll protect customers’ WHOIS data at no cost for them, whether they come from the EU or not. This seems like a no-brainer when compared with GoDaddy’s unreasonable fees.
- No Default Upselling
It communicates the wrong signal to pre-select a more expensive privacy package. A domain registrar such as GoDaddy should target EU customers with pre-ticked “No Thanks” box. Instead, when an EU customer is registering a domain, the paid “Privacy Protection” is pre-ticked by default.
A Lack of Global Privacy Regulations.
Many domain registrars operating cross-border have to deal with complex privacy and data protection laws. Whilst we have ICANN to govern the internet and domain name system, the governance of best practice privacy protection is close to non-existing. Well, we have the easy-understandable GDPR don’t we?
Companies that are working to become GDPR compliant have all realized what a giant task it was – and continues to be. Just take a look at this infographic, portraying just how complex the international privacy laws look.
It’s not easy, often not with a straight yes or no answer. Complexity is rising as technology advances, more trade is done internationally and governments all over the world are now upgrading data privacy and protection laws.
Governments are trying hard to catch up with technology by passing new privacy laws on an ongoing basis, but the inconsistency between them brings a great risk of non-compliance and confusion among international businesses. Every country, every state, and every province has their own privacy law. Moreover, the definition and the scope of personal data protection varies among them.
Unlike with other fundamental rights, there is a lack of global regulations and best practices about privacy protection. Due to this, it is difficult to provide governments with the necessary direction in creating and enacting new privacy laws.
Also, it makes it almost impossible to give businesses an opportunity for compliance without spending many resources in compliance with every single law.
However, it can be said that the world is ripe for global privacy regulations. There are two obvious solutions for for ensuring the much-wanted consistency:
- An international agreement, whether on UN-level or between the world’s leading countries, to give both governments and businesses an idea about where the world is heading regarding data privacy protection.
- An ICANN-like organization or another international body to define minimum data protection standards and best practices for privacy protection. This will guarantee alignment between national laws, ensuring privacy is being protected equally everywhere.
Whatever solution governments are up to, the sooner it is introduced – the better for businesses. They want to be compliant with privacy laws, but first, they must be sure how.
What Comes Next?
GDPR has shaken up domain registrars and ICANN by raising the bar for full personal information protection. There is no way back from this.
Customers know how important it is to protect their data and will likely reward those who meet their need to remove the risks of having their data abused.
From a legal perspective, GoDaddy played well around the GDPR. But, from a business and ethics perspective, they should do better.
They don’t risk huge fines for non-compliance with GDPR from we see online, but they do risk a loss of trust and respect from their customers. Privacy is a fundamental right to all human beings and should treated as such.
Get the TNW newsletter
Get the most important tech news in your inbox each week.