WHOIS Infringing My Domain Name? Brand Protection In A Post-GDPR World
As an intellectual property intern at an art auction house, I spend a considerable amount of time monitoring domain name and trademark infringement. While most sites that I review are unrelated to the auction house—such as wedding planning pages or lifestyle blogs—occasionally, I find a site with an identical domain name, advertising the same or a suspiciously similar product or service. These domain names tend to be problematic as it can potentially confuse our consumers and may diminish the reputation of our brand. To enforce the rights to our trademark, I begin to prepare a demand letter, but lately, the inability to access the domain name or trademark infringer’s contact information has posed a significant problem.
Before May 2018, one could easily find a domain name owner by conducting a “WHOIS search.” When a person registers a domain name, the Internet Corporation for Assigned Names and Numbers (“ICANN”), a non-profit organization that helps coordinate the internet’s Domain Name System,1 required the domain name registrar (e.g., GoDaddy) to submit the personal contact information of the registrant to the WHOIS database, a public directory.2 Consequently, a WHOIS search yielded the name, mailing address, email address, phone and fax numbers of the registered owners or assignees of the domain name.3 For many brand owners seeking to enforce their rights, a WHOIS search was their first course of action.4 With the acquired information, a trademark owner could efficiently conduct investigations and send cease and desist communications.5
On May 25, 2018, the European Union’s General Data Protection Regulation (“GDPR”), which regulates and provides enhanced protections for personal data and privacy for all European Union (“EU”) citizens, took effect.6 Among other things, the GDPR regulates how organizations—such as Facebook or GoDaddy—can collect, use, and transfer the personal data of EU citizens in EU member states.7 For example, a company may be fined 2% of annual global revenue “for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.”8
In compliance with the GDPR, ICANN adopted a temporary specification to provide a framework for handling domain registration data.9 Specifically, the temporary specification requires registrars to “collect registration data and technical information in connection with a domain name registration. However, access to this data [is] restricted to layered/tiered access, where only users with a legitimate purpose can request access to non-public data through the registrars.”10 For the majority who do not request access or who are denied access to the registrant’s contact information,11 the WHOIS search now yields a limited, redacted version of previously available data.12 Only the country and state or province of the registrant is publicly displayed, while the name, address, and email address are hidden.13 Accordingly, the “GDPR has effectively made it easier for counterfeiters and infringers to evade detection,”14because trademark owners must now dedicate increased capital and human resources to locate the infringing registrant to enforce their rights.
Fortunately, there are a few temporary solutions for brand owners. Following the GDPR, the International Trademark Association (“INTA”) has provided a toolkit of tips to assist with the investigation and enforcement of rights, called “WHOIS Challenges: A Toolkit for IP Professionals.”15 Some of the investigation tips listed in the toolkit include using data sources outside of the WHOIS database—such as corporate and trademark databases—manually searching websites for contact information, or using the IP address to provide more detail on the website host’s location.16
Additionally, trademark rights holders may initiate a dispute under ICANN’s Uniform Domain Name Dispute Resolution Policy (“UDRP”). ICANN’s temporary specification allows UDRP providers (e.g., the World Intellectual Property Organization or the National Arbitration Forum) “to accept complaints … even if the complainant does not have the contact information for the respondent.”17 “Historically, the UDRP rules required a complainant to serve the complaint upon the domain name registrant at the contact information provided through the WHOIS service.”18 Following ICANN’s temporary specification, the complainant “may file a ‘Doe’ complaint and the provider shall provide the relevant contact details of the registered name holder after being presented with a ‘Doe’ complaint.”19
Nonetheless, the UDRP has been an inadequate solution for many.20 Under the UDRP, a complainant must prove the following three elements: (1) the domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; (2) the registrant has no rights or legitimate interest in the domain name; and (3) the domain name has been registered and used in bad faith.21 Unfortunately, the limited WHOIS data available impedes the brand owners’ ability to assess rights or legitimate interests in a domain name or bad faith registration and use.22 “[W]ithout full access to certain WHOIS data, a trademark owner cannot easily determine if the registrant is commonly known by the domain name, whether the domain name was registered primarily to disrupt the business of a competitor, or whether the registrant engaged in a pattern of bad faith or abusive registrations.”23 For example, as an intern, I frequently discover that the registrant’s first or last name is that of the auction house. It is essential to have this information beforehand as it affects how we choose to approach the domain name owner.
As ICANN develops a working solution for trademark owners, many are encouraged to use the strategies described above, or implement creative and strategic ways to protect their brand during this temporary period.
Terry Hart, WHO IS Infringing my Work? What the GDPR Means for the Domain Name Database, Copyright Alliance (May 29, 2018), https://copyrightalliance.org/ca_post/whois-domain-name-dnd/. [https://perma.cc/93JG-8EP4]↩
Information for Domain Name Registrants, ICANN, https://www.icann.org/registrants (last visited Nov. 5, 2018). [https://perma.cc/YRZ4-BK3Y]↩
Amy Grant, GDPR Is Coming, So What Now for WHOIS Domain Registration Data?, Tripwire (Apr. 18, 2018), https://www.tripwire.com/state-of-security/regulatory-compliance/gdp-whois/. [https://perma.cc/F8W5-P6BS]↩
Jennifer Theis, Trademark Enforcement Implications of Europe’s General Data Protection Regulation (GDPR), IPWatchdog (Sept. 11, 2018), http://www.ipwatchdog.com/2018/09/11/trademark-enforcement-implications-general-data-protection-regulation-gdpr/id=101060. [https://perma.cc/9ZWZ-D58A]↩
Supra note 3.↩
Frequently Asked Questions about GDPR, EUGDPR, https://eugdpr.org/the-regulation/gdpr-faqs/ (last visited Nov. 5, 2018). [https://perma.cc/PNT8-DEML]↩
Jaime Rich Vining, Domain Disputes Post-GDPR: For Now, a Temporary Solution, Daily Business Review (June 27, 2018, 10:17 AM), https://www.law.com/dailybusinessreview/2018/06/27/domain-disputes-post-gdpr-for-now-a-temporary-solution/. [https://perma.cc/X6BH-D7XY]↩
Hart, supra note 1.↩
Statton Hammock, GDPR and WHOIS: Adverse Impacts on Brand Protection, MarkMonitor (October 22, 2018), https://www.markmonitor.com/mmblog/gdpr-and-whois-adverse-impacts-on-brand-protection. [https://perma.cc/L9ND-GKQK]↩
Rebekah Sellars, WHO can see WHO on post GDPR WHOIS, Lexology (Sept. 24, 2018), https://www.lexology.com/library/detail.aspx?g=e8f0ac10-7e57-466e-8194-86ca9e02e15b. [https://perma.cc/L2JE-R8EW]↩
Theis, supra note 4.↩
WHOIS Challenges: A Toolkit for Intellectual Property Professionals, INTA, (June 15, 2018), https://www.inta.org/INTABulletin/Pages/WHOISChallengesAToolkitforIntellectualPropertyProfessionals7310.aspx/. [https://perma.cc/U3ZH-HZKE]↩
Vining, supra note 9.↩
Rules for Uniform Domain Name Dispute Resolution Policy, ICANN, https://www.icann.org/resources/pages/udrp-rules-2015-03-11-en (last visited Nov. 7, 2018). [https://perma.cc/R2CL-9UAR]↩
Vining, supra note 9↩