GDPR 2.0 and Domain Privacy: What Changed in 2025

What Changed on January 1, 2025

Mandatory Privacy for Personal Domains

Any domain registered by an individual (non-corporate entity) in the EU must have WHOIS privacy enabled by default. Opting out requires explicit written consent annually. This is automatic now—no action required from registrars unless the registrant specifically requests disclosure.

Corporate Transparency Requirements

Corporate domains (.de, .eu, .fr, etc.) must display verified company information in WHOIS. This is the reverse of privacy—you're required to be transparent. Registrants must keep this information current or face potential de-registration.

Privacy Service Provider Validation

If you use a privacy service to hide your information, the privacy provider must undergo validation. Not all privacy services are GDPR-compliant. Using non-compliant privacy services can result in domain suspension.

Enhanced Data Subject Rights

Anyone can now request their WHOIS data deletion (right to be forgotten). Registrars have 30 days to remove personal data upon legitimate request. This applies to all domains, not just those with privacy enabled.

Practical Implications for Your Portfolio

Audit Your European Domains

Go through your .de, .eu, .fr, .it, .es, and other European TLD domains. Identify which are registered to individuals vs. corporations. Individual domains should already have privacy enabled. Corporate domains should have verified company information in WHOIS.

Update Contact Information

If you have corporate domains, ensure the company information is complete and accurate. This is now legally required. Incomplete information can result in warnings or suspension.

Check Your Privacy Providers

If you use privacy services from third-party providers, verify they're GDPR-compliant. Contact your registrar if unsure. Non-compliant privacy services create legal risk.

Implement Data Deletion Workflows

You may receive requests to delete WHOIS data. Establish a process to handle these within the 30-day window. Document requests and responses.

Enforcement and Penalties

ICANN has granted the EU authority to enforce these rules. Non-compliance can result in:

• Warnings from registrars
• Temporary domain suspension
• Permanent de-registration
• Fines from ICANN and the EU (up to 4% of annual revenue in extreme cases)

For most organizations, the risk is operational rather than financial—losing critical domains hurts far more than a fine.

Action Items for 2025

Month 1: Audit

Pull a report of all your European domains. Categorize them as personal or corporate. Check which have privacy enabled, which have current company information.

Month 2: Remediate

Update corporate domain information if necessary. Verify privacy services are compliant. Document everything.

Month 3+: Monitor

Set quarterly audits for European domain compliance. Watch for WHOIS data deletion requests. Update contact information as needed.

Bottom Line

GDPR 2.0 domain rules aren't complex, but they require attention. The EU is serious about data privacy. Get your European domains compliant now. Don't wait for a suspension notice.