Skip to main content
Abstract domain-registration privacy scene with secured network nodes and identity verification elements

GoDaddy challenges India domain privacy order as WHOIS access fight widens

A Delhi High Court order aimed at fake websites would curb default domain privacy, require KYC checks and speed disclosure requests. GoDaddy says the remedy could expose legitimate site owners.

Published

05 Jul 2026

Reading Time

4 min read

Share this article:

Contents

Gizmodo reported on July 4, 2026, citing Reuters, that GoDaddy is challenging a Delhi High Court order that changes how domain registrars serving India must handle privacy, identity checks and disclosure requests. The case is not just about one registrar. It sits at the intersection of anti-phishing enforcement, WHOIS-style registration data and the privacy expectations that many site owners now treat as standard.

The underlying judgment, Dabur India Limited v. Ashok Kumar & Ors., was pronounced on December 24, 2025. The court described a pattern of fake websites using well-known brands to mislead consumers, collect payments and disappear before rights holders or investigators could identify the registrants. In the court record, domain-name registrars are part of a wider enforcement chain that also includes banks, law-enforcement agencies, registry operators, ICANN and Indian government bodies.

What the order changes

The Delhi High Court directed domain-name registrars and registry operators not to mask registrant, administrative-contact and technical-contact details by default. Instead, privacy protection must be offered only when the registrant specifically chooses it, and the court said it should be treated as a paid value-added service rather than part of the default domain-registration package.

The judgment also says registrars must disclose data tied to an infringing or unlawful domain name to courts, law-enforcement agencies or parties with a legitimate interest as soon as possible and no later than 72 hours. The listed data can include registrant names, administrative and technical contacts, addresses, mobile numbers, email addresses, payment-related information and details of related services such as hosting.

A third major direction is identity verification. Registrars offering services in India or to customers in India must verify registrant details at the time of registration and periodically afterward, using KYC requirements referenced from India's April 28, 2022 CERT-In directions. The government was also asked to hold stakeholder consultations and consider a NIXI-style registration framework or repository.

Why GoDaddy objects

GoDaddy's concern, as reported by Gizmodo and Reuters-based Indian coverage, is that a rule built to expose fake-site operators could also expose legitimate site owners. If privacy-by-default is removed, ordinary registrants may have names, phone numbers, email addresses and physical addresses surfaced through domain-registration lookups or disclosure processes. That risk matters for small businesses, independent publishers, activists, security researchers and individuals who register domains for personal projects.

The company is also arguing over scope. Domain names are global assets: a .com address registered through a global registrar is not naturally limited to one country's audience. If a national court order forces a registrar to change defaults or block variations of protected names in a broad way, the operational effect may reach beyond India.

The court's policy goal is also real. The judgment says fake domains were being used for impersonation, payments and consumer deception, and it refers to more than 1,100 infringing domain names across the batch of suits. Reuters-based coverage also links the case to a wider cyber-fraud problem in India. The difficult question is not whether domain abuse exists, but whether the remedy can expose less data while still giving investigators and brand owners fast access when a domain is plausibly abusive.

The global registration-data backdrop

ICANN's Registration Data Policy sets requirements for processing registration data by ICANN-accredited registrars and gTLD registry operators. ICANN also operates the Registration Data Request Service, which gives consumer-protection advocates, cybersecurity specialists, government officials, intellectual-property professionals and law-enforcement personnel a standardized path to request nonpublic gTLD registration data.

GoDaddy's own non-public registrant data request policy frames disclosure around legitimate interest and says requests should not replace less intrusive mechanisms where those are available. That illustrates the tension: domain-abuse response needs a path to attribution, but modern registration-data systems try to avoid putting every registrant's personal details in public view by default.

What to watch next

The next milestone is the appeal process. Reuters-based coverage says the matter is scheduled for July 16, 2026. Until there is more clarity, registrars, brand-protection teams and privacy advocates will be watching whether the court narrows the disclosure path, defines legitimate interest more tightly, or preserves the broader KYC and anti-abuse directions.

For technology readers, the larger lesson is that domain registration is becoming part of the trust-and-safety stack. The internet still needs faster action against phishing and brand impersonation, but the design of that action will determine whether the burden falls mainly on fraudsters or also on legitimate domain owners who rely on privacy protections.

Tags:

#domain privacy #WHOIS #GoDaddy #India #cybersecurity #internet governance

18

views

0

shares

0

likes

Related Articles