What WHOIS is and why your personal data is publicly visible
WHOIS is the public lookup directory for domain name registrations. Every time a domain is registered, the registrar is required by ICANN (the Internet Corporation for Assigned Names and Numbers) to publish certain contact details for the registrant, administrative, and technical contacts. By default, that means anyone running a whois query or visiting a public WHOIS lookup page can see the registrant's full name, postal address, email, and phone number.
This is intentional. WHOIS exists so that legitimate parties — law enforcement, trademark holders, journalists, other domain owners, abuse reporters — can contact the owner of a domain. The problem is that the same data is harvested by spammers, scrapers, and lead-generation companies the moment a domain is registered. A new domain can start receiving cold calls, junk mail, and phishing emails within days.
For most individual registrants, that is a poor trade: a public directory designed for accountability has become a spam generator. WHOIS privacy exists to keep the directory functional for legitimate contact while reducing the harm to the registrant.
What domain privacy / WHOIS protection does (and does not)
WHOIS privacy is a simple substitution. The registrar replaces your personal contact details in the public WHOIS output with a forwarding proxy: a generic email like contact@privacy-example.com, a forwarding phone number, and a proxy mailing address. Messages sent to the proxy are forwarded to you, the real registrant, behind the scenes.
What it accomplishes in practice:
- Reduces spam and cold calls. Harvesters cannot pull a working email or phone from your domain record.
- Reduces physical-mail scams. Fake "domain renewal" invoices sent by postal mail become much less likely when your address is not in the public record.
- Reduces social-engineering exposure. A registrar lookup is a common first step in targeted phishing, where an attacker pretends to be your host, your bank, or even a colleague. Removing the public data removes that starting point.
- Preserves legitimate contact. Anyone with a real reason to reach you can still use the proxy, and abuse complaints can still reach the registrant through the registrar's abuse contact.
What it does not do is hide your ownership from anyone with legal authority to ask. The registrar retains the real registrant data and is obligated to disclose it under specific circumstances. We cover that in detail below.
Free vs paid WHOIS privacy: what registrars include vs charge $5–$15/year
This is where the price gap is real. Some registrars include WHOIS privacy free on most TLDs, on the theory that privacy is table stakes for a modern registrar. Others treat it as a paid add-on, often $5 to $15 per year per domain, sometimes discounted to $0 in the first year to look competitive at checkout.
The cost looks small in isolation — a few dollars per year — but multiplied across a portfolio it matters. Someone holding 20 domains at a registrar that charges $9.99 per domain for privacy is paying $199.80/year just to keep contact data redacted. The same 20 domains at a registrar with free privacy cost nothing extra.
Two patterns to watch for in checkout:
- Pre-checked upsell. Privacy is added by default unless you opt out, often on a multi-year term that auto-renews.
- First-year free. Privacy is $0 in year one and $9.99/year from year two onward. The renewal cost is the real number to compare.
If privacy matters to you, treat it as part of the domain's real annual cost, not as a free bonus.
What GDPR partial privacy does (and does not) in EU/UK contexts
After the EU's General Data Protection Regulation took effect in 2018, the WHOIS landscape changed substantially. ICANN temporarily relaxed its thick-WHOIS requirements, and most ICANN-accredited registrars began redacting personal contact fields for natural persons (individual registrants) in the public lookup. For many EU/UK individuals, the WHOIS record for a .com or .net domain now shows "redacted for privacy" or proxy-style data by default, with the registrant's real data held internally by the registrar.
What GDPR-related redaction usually covers:
- Individual registrant's full name, personal email, and personal phone.
- Personal residential address for natural persons (not for legal entities like companies or LLCs).
- Some ccTLDs (country-code TLDs) with EU data protection rules apply the same pattern.
What it does not do:
- Apply uniformly to every TLD. Some country-code registries still publish registrant data, especially outside the EU/EEA.
- Hide legal entities. If you register a domain as a company, partnership, or LLC, the company name, country, and sometimes state are typically still visible.
- Replace paid privacy for non-EU residents. If you are registering from the US, Canada, Australia, or most of Asia, GDPR does not protect you the same way — and some registrars apply redaction globally, others only to EEA customers.
- Protect you from a registrar's own legal obligations. GDPR changes what is published; it does not change what the registrar is required to disclose under valid legal process.
The practical takeaway: GDPR gives EU/UK individual registrants a meaningful baseline, but it is not a complete privacy solution, and it is not portable across all TLDs or all registrant types.
What WHOIS protection does NOT protect you from
WHOIS privacy is a layer against passive harvesting. It is not a shield against anyone with a legal right to know. Keep these limits in mind:
- Court orders and subpoenas. Registrars are required to disclose real registrant data in response to a valid court order, subpoena, or equivalent legal process in their jurisdiction. The proxy does not stand in the way.
- UDRP and URS proceedings. Under the Uniform Domain-Name Dispute-Resolution Policy, trademark holders can file a complaint and obtain real registrant data through the registrar. Privacy does not prevent a UDRP case from proceeding.
- ICANN compliance audits and WHOIS accuracy checks. ICANN can require registrars to verify registrant data. If your data is inaccurate, the registrar may suspend or cancel the domain, and privacy does not exempt you from accuracy requirements.
- Registrar's own internal investigation. If your domain is tied to abuse complaints (phishing, malware, spam), the registrar can and will look at the real registrant data when handling the complaint.
- Domain transfers. If you transfer the domain to another registrar, privacy settings may not transfer with it. Some registrars re-enable privacy on transfer; others do not, and you may have to re-purchase or re-enable it at the new registrar.
- Real-world social engineering. Privacy hides your email and phone from a public lookup, but it does not stop attackers who find your contact data through other channels — a leaked customer list, a public social profile, a data broker.
Privacy is anti-spam and anti-harvesting. It is not anti-legal-process and it is not a complete identity protection system.
Cost comparison: free vs paid WHOIS privacy across registrars
Below is a generic comparison of common registrars and how they handle privacy. Prices and policies change, so always verify the current terms on each registrar's site before registering. The patterns, however, are stable.
| Registrar | Free privacy? | Paid privacy cost / year | What privacy covers | What it does not cover |
|---|---|---|---|---|
| Cloudflare Registrar | Yes (at-cost pricing, no markup for privacy) | N/A | Replaces registrant contact in public WHOIS with Cloudflare proxy data. No per-domain privacy fee. | Does not change court-order, UDRP, or ICANN disclosure obligations. Some TLDs may not allow proxy data. |
| Namecheap | Yes, on most TLDs | Free (free WhoisGuard bundled) | Replaces registrant contact with WhoisGuard forwarding proxy. Free for the lifetime of the domain. | Some premium TLDs may not include WhoisGuard. UDRP / legal process still applies. |
| Porkbun | Yes, on most TLDs | Free | Free WHOIS privacy included at registration. No upsell at checkout. | Limited TLD coverage in some cases. Legal disclosure obligations unchanged. |
| Hover | Yes | Free | Replaces registrant contact in public WHOIS at no extra cost. | UDRP / subpoenas still apply. Privacy may not transfer to another registrar automatically. |
| Dynadot | Yes, on most TLDs | Free | Free privacy on supported TLDs. | Some ccTLDs may not support it. UDRP / legal disclosure still applies. |
| Gandi | Yes (included in standard registration) | Free | Whois proxy included by default for individuals. | Legal entity contacts may be published. UDRP / legal process unchanged. |
| GoDaddy | First term sometimes free, then paid | ~$5–$10/year per domain (varies by TLD and term) | Domain Privacy replaces contact in public WHOIS; full version adds expiration protection and transfer lock monitoring. | UDRP / court orders still apply. Privacy is per-domain cost, so it scales with portfolio size. Auto-renews at full price. |
| IONOS | First year free, then paid | ~$6–$10/year per domain | WHOIS privacy plus domain lock features in the paid tier. | Per-domain cost. UDRP / legal disclosure still applies. |
| Domain.com / Network Solutions | No, paid add-on | ~$5–$15/year per domain | Replaces contact in public WHOIS, sometimes bundled with site lock or transfer protection. | Per-domain cost scales poorly. UDRP / court orders still apply. |
| Bluehost / HostGator / bundled hosts | No, paid add-on | ~$9.99–$14.99/year per domain | Replaces contact in public WHOIS. Often bundled with "domain protection" plans that add WHOIS, theft protection, and email features. | Per-domain cost. Sometimes pre-checked at checkout. UDRP / legal process still apply. |
Two patterns stand out: registrars that price domains at cost (Cloudflare) or include privacy as a free feature (Namecheap, Porkbun, Hover, Dynadot, Gandi), and registrars that bundle privacy into a "domain protection" plan and charge annually for it. The second group often makes privacy a checkout upsell with a multi-year term.
When free privacy is enough vs when to pay
Free privacy is enough for most individual registrants, hobby projects, blogs, small business sites, and portfolio domains. If your registrar includes it at no cost, there is no reason to switch to a paid plan just for the privacy line item.
Consider paying for privacy (or switching registrars) when:
- You hold a meaningful portfolio. Paying $9.99 × 20 domains adds up. Switching to a registrar with free privacy can save a few hundred dollars per year.
- Your registrar charges and the renewal is high. If your current registrar bills $9.99–$14.99 per domain per year for privacy, the math can justify a transfer to a registrar with free privacy, even after accounting for transfer friction.
- You register as a company and want to keep the company name out of public WHOIS. GDPR redaction usually does not apply to legal entities, so paid privacy (or a registrar with built-in proxy data for entities) becomes more important.
- You need additional features bundled with privacy. Some paid plans add domain lock, transfer protection, expiration monitoring, or theft protection. If those matter and are bundled cheaper than buying separately, the paid plan can be worth it.
Paid privacy is rarely the right call purely on its own — most of the value of "domain protection" is in the surrounding features. If you only want your contact data redacted, free privacy at a different registrar is almost always cheaper.
The answer box
The real cost of WHOIS privacy is whatever your registrar charges for it, on top of the domain itself, every year you keep the domain. That cost is $0 at registrars that include it free (Cloudflare, Namecheap, Porkbun, Hover, Dynadot, Gandi for most TLDs), and roughly $5 to $15 per year per domain at registrars that sell it as a paid add-on (GoDaddy, IONOS, Domain.com, Bluehost, HostGator). For a portfolio of 10+ domains, the difference between "free" and "paid" can be $50 to $150 per year — meaningful enough to include in the real-cost calculation before registering.
Buyer checklist: domain privacy decision
- Write down the privacy cost at your current registrar, per year per domain, before deciding to keep or move it.
- Check whether your registrar includes free privacy on your TLD — many do, and the answer changes the cost calculation entirely.
- For EU/UK individual registrants, confirm whether GDPR redaction is already doing the work; if so, paying for "extra" privacy may be redundant.
- For company / LLC registrants, note that GDPR redaction often does not apply, and proxy privacy is the main way to keep company-name and address out of public WHOIS.
- For a portfolio of multiple domains, multiply the per-domain privacy cost by the number of domains. The total may justify switching registrars.
- Watch for first-year-free privacy offers that auto-renew at full price; treat the renewal number, not the promo number, as the real cost.
- If you transfer the domain to another registrar, verify whether privacy transfers with it. Some registrars re-enable it for free; others make you re-purchase or re-enable it manually.
- Do not assume privacy protects you from legal process. It mainly reduces spam, scraping, and unwanted contact. Court orders, UDRP disputes, and ICANN compliance still reach the real registrant data.
Affiliate disclosure: PriceGap may use affiliate links in the future. This article contains no advertiser checkout links, does not claim advertiser approval, and does not quote fixed live prices. Always verify current privacy terms and TLD coverage directly on the registrar's site before registering.