The European Union's General Data Protection Regulation (GDPR) came into effect on May 25, 2018, and changed how companies collect and manage the personal data of people within the European Union. This article explains how the GDPR affects resellers, covering data processing, WHOIS information, consent management, and your reseller controls.
How Enom processes data
Resellers can review Enom's data-sharing practices. It is in the interest of Enom, our resellers, and registrants to prepare for heightened data sharing and privacy standards. Enom believes in the principles the GDPR upholds and extends its benefits to registrants worldwide.
| Consent and contract | Any data that Enom or the registry/service provider requires to provide a TLD or other product is processed on a contract basis and included in our contractual agreement with the registrant. We do not need to send a consent request to process this data. Any additional data requested by the registry but not included in the contract can only be processed with consent from the registrant. |
| Data controller and processor | The data controller determines what data is processed and selects the means of processing, while the processor handles the data based on the requirements set by controllers. Enom does not have a direct relationship with the domain owner; we have a contractual one, as required by ICANN and other TLD policies. To enter our contract to sell a customer a domain name, we need certain personal data, such as the registrant’s first and last name, organization name (if provided), email address, and country. The legal basis for processing those data elements is the performance of a contract, and we are a controller for them. |
| Data timeline | Data processed from our service contract is kept for the lifetime of the service, plus up to 10 years after the service’s termination. Enom holds any data processed under the legal basis of consent for the same period as contract-based data, unless consent is withdrawn. In that case, the erasure process begins and can take 60 days to complete. |
| ICANN policy | ICANN policy has been updated in response to the GDPR and other worldwide data privacy legislation. When ICANN requirements for registrars conflict with our legal obligations, we follow the law first and comply with ICANN as best we can. |
GDPR and WHOIS information
Resellers can access all the WHOIS contact data we hold for their end-users within the reseller control panel. Data can only be shared when necessary to fulfill the intended purpose of collection. The public WHOIS system was incompatible with the data privacy principles the GDPR affirms. Registrant information is now redacted for privacy on WHOIS lookups and can be made public by adding WHOIS Publicity to a domain. Public WHOIS output still displays domain dates, status, nameservers, and sponsoring registrar.
Gated WHOIS information
The gated WHOIS is a portal where accredited third parties can access "full" WHOIS information, including personal data hidden from the public WHOIS. If the domain has ID Protect, the privacy masking data is displayed publicly and within the gated WHOIS. This means contact privacy details, including a contact privacy email, are displayed for domains with ID Protect in the gated WHOIS. For a helpful visual snapshot of the WHOIS differences, see our WHOIS changes blog post. The WHOIS output for privacy-protected domains is the same in both the public and gated WHOIS. We continue to require a court order or other legal documentation to access this information, as we do today.
WHOIS contactability service
When a person uses the form to send a message to the domain owner, we send an email to both the registrant and the sender.
Note: While the registrant may receive your message, they may not reply. Enom cannot control whether the registrant responds and does not reach out to registrants on behalf of interested parties.
The registrant's email address receives an email with the sender's message.
Consent management process
When a registrant visits their data sharing preferences, they find an up-to-the-minute list of all the active products they have registered. The Enom data sharing preferences information page includes an exhaustive list of the TLDs and services offered through Enom and the data elements required under contract or used only with consent.
Registry data sharing
For many TLDs, the registry provider requests data for which there is no contractual basis to process. In this case, we ask the registrant for consent to share these additional pieces of data with the provider. In most cases, even if the registrant withholds or fails to provide consent, Enom can immediately register the domain by sending the registry a combination of contractual data and placeholders for any data elements that can only be processed with consent. These domains can be registered immediately without using additional personal data beyond what is covered in the contract. If the registrant withholds or revokes consent, existing services remain active and pending orders are processed normally; Enom simply substitutes placeholder data for any consent-based personal data.
Data sharing preferences page
Enom is legally obligated to collect consent from registrants and provide a straightforward, accessible means of revoking consent. The data-sharing preferences page is our solution for fulfilling these obligations and is an essential part of our domain and service registration process. Enom is named on the page to allow for a white-labelled solution for our resellers, balanced with our legal obligations as a data processor and controller. The GDPR requires service providers to disclose what personal data they are processing, how it is held and processed, and by whom, so we are transparent about the fact that Enom is processing the data.
Product consent order
The order in which services are presented to the registrant is prioritized so that actionable or important items are seen first. Services are listed in the following order, when available:
- New products that still require consent from asynchronous products
- New products that still require consent from synchronous products
- Older products where the consent choice has been made for asynchronous products
- Older products where the consent choice has been made for synchronous products
The data collected depends on whether the service is registered as an individual or an organization, so some data described here may not actually be collected. Some registry and service providers request different information for organizations than for individuals. Our data use information page outlines all the data we collect for each service, on both contract and consent bases, and clearly indicates any differences between data collected for individual and organization registrant types.
Product consent groups
Each service or product offered through Enom falls into a particular consent group within our system. Once the consent preference is logged for a group, that choice applies to any future purchases of products within that same group.
For two products to fall within the same consent group, they must:
- Be offered through the same service provider
- Contractually require the same data elements
- Request the same consent-based data elements
For example, a registry might operate multiple TLDs that each contractually require the registrant's name, email, and country but also request consent to process the registrant’s phone number. These TLDs fall into the same consent group, so once the registrant sets their consent preferences for one, that choice applies to all future purchases of other TLDs in the group, and no further consent request emails are sent for those purchases. However, if the same registry offers another TLD requesting consent to process the registrant’s postal address in addition to their phone number, the registrant would receive a consent request upon purchasing it, as it falls into a distinct consent group.
Enom groups products this way to reduce the number of consent requests the registrant receives, while ensuring they retain complete control over which elements of their personal data are shared and with whom.
Consent emails
Consent emails can be triggered by the registration, update, or transfer of a domain. When the registrant sets their consent preferences, their choices are logged and applied to any future purchases of products within the same consent group. However, if they purchase a service for which the provider requests additional data beyond what the registrant has already granted or withheld consent for, they may receive another consent request. The Enom system waits one minute before sending a consent request email; if multiple services are purchased together, a single consent request email is sent for all services. If an end-user makes multiple purchases more than one minute apart, multiple emails are sent. Consent emails can only be sent to the registrant's address, as other emails are not considered secure and would violate the GDPR.
A link to the data sharing preferences page can be resent to the registrant's email by initiating a request through your control panel or via the API.
Replying to consent emails
Our system assumes no consent until consent is granted; there is no time-out period. Enom still sends a consent request email to the registrant to ensure they have access to the data use information page, even if no consent is required, to fulfill our commitment to transparency. A link to the data sharing preferences page can be resent to the registrant's email by initiating a request through your control panel or via the API.
Reseller controls and management
Information and data management
Resellers should not alter registrant information. Certain pieces of information, such as the registrant's full name, organization, email address, and country, are always required. We need this data for contractual use and to identify the owner of the domain, and our Domain Registrant Agreement requires the registrant to provide complete and accurate information. The list of contractually required data elements for a particular TLD or service may be longer, depending on Enom's contract with the registry or service provider.
Placeholder data
While not recommended, you can substitute placeholder data for any data elements processed using consent as the legal basis when placing orders, but you cannot leave these fields empty. If the consent-based data is withheld and placeholders are used, and the client later decides to consent to the data being used, they may be confused to find that even after consenting, the data is not listed on their domain registration record.
Resellers and the consent page
There is no option to disable or bypass the consent page as a reseller. Enom is legally obligated to collect consent from registrants and provide a straightforward, accessible means of revoking it, and this page cannot be edited. The majority of the text on the data use consent settings page is legal information we are obligated to disclose, so it cannot be modified.
Next steps
- For the full GDPR overview, see General Data Protection Regulations (GDPR).
- To let registrants publish their contact data, see WHOIS Publicity.
Questions? Contact Enom Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.