Originally published at https://monstadomains.com/blog/new-gtld-domain-privacy/
If new gTLD domain privacy is not already on your checklist, April 30, 2026 is about to force the issue. That is the date ICANN officially opens its application window for a new wave of generic top-level domains – the first major DNS expansion in 14 years. Hundreds of new registry operators could be approved over the next two years, each one setting its own rules around registrant data collection, RDAP disclosure, and privacy proxy availability. For anyone who registers domains to protect their identity, the 2026 expansion is not background noise. It is a direct challenge to new gTLD domain privacy as it functions today.
ICANN Opens the 2026 gTLD Application Window
ICANN has confirmed that new generic top-level domain applications will be accepted from April 30 through August 12, 2026, under the official 2026 Round guidelines published by the ICANN new gTLD program. The evaluation fee is $227,000 per string applied for – a price point that screens out individual applicants but leaves the door open to brands, community organisations, geographic entities, and commercial registry operators of every description. ICANN intends to publish the full application list on Reveal Day, scheduled roughly nine weeks after the August 12 close – likely sometime in October 2026. Initial delegations, when new TLDs actually enter the DNS root, are expected 12 to 18 months after that.
This is not a minor administrative update. The last expansion, which ran from 2012 to 2014, added hundreds of extensions to the internet – from .club and .xyz to .photography and .travel. New gTLD domain privacy protections during that round were deeply inconsistent. Registry operators varied in what personal data they required from registrars, how much they exposed via WHOIS, and whether they even permitted privacy proxy services. The 2026 round is expected to dwarf that expansion in scale and in the complexity of the privacy landscape it generates. If you want context on how quickly registry agreements can reshape registrant protections, the recent change to ICANN’s domain transfer lock policy is a useful illustration.
What the 2026 Expansion Actually Changes
Global domain registrations reached 386.9 million names in 2025, with 6.1 percent year-over-year growth – the fastest rate since 2014. New gTLDs alone grew by 30 percent in 2025 as demand for extensions beyond .com and .net continues to accelerate. The 2026 round is expected to intensify this significantly. Analysts anticipate a surge of applications for brand TLDs, community extensions such as .developer and .artist, geographic TLDs covering cities and regions, and Web3-integrated extensions built for crypto and decentralised platforms.
The diversity sounds positive on the surface. In practice, it means new gTLD domain privacy will be governed by hundreds of distinct policy frameworks rather than any consistent standard. A registrar genuinely committed to your privacy has no power over what the upstream registry operator requires it to collect and report. Understanding new gTLD domain privacy obligations at the registry level – not just the registrar level – is essential before committing to any extension that enters the root under this round.
New gTLD Domain Privacy and Why It Gets Complicated
The registrar-registry-ICANN relationship is the part of the domain industry most registrants never examine – and it is precisely where new gTLD domain privacy actually gets decided. ICANN sets baseline requirements through its Registry Agreement, which mandates certain data collection and RDAP endpoint exposure. But the Registry Agreement leaves substantial room for individual operators to define their own policies around what data is shared publicly, how long it is retained, and whether privacy proxy services are permitted at all.
Registry Agreements and WHOIS Requirements
Every new TLD registry approved through the 2026 round must sign a Registry Agreement with ICANN. That agreement requires the operator to maintain an RDAP-compliant database of registration data – a structured, machine-readable format that has progressively replaced the legacy WHOIS protocol. RDAP makes new gTLD domain privacy data significantly easier for third parties to query at scale. Where the old WHOIS system returned slow, inconsistently formatted text, RDAP delivers clean JSON objects with consistent field names designed for programmatic, bulk access. The transition happened gradually, but its implications for registrant exposure are direct and lasting.
Registry Data Policies Vary Wildly by TLD
Not every new TLD registry will permit privacy proxy services. Brand TLDs – where the registry and registrant are the same corporate entity – often have no use for them and may explicitly prohibit third-party proxies to comply with trademark or anti-fraud policies. From the 2012-2014 expansion, there are documented cases of new TLDs that launched with disclosure requirements strict enough to make new gTLD domain privacy services effectively unavailable to ordinary registrants, even when the registrar offered privacy protection for other extensions. The 2026 round provides no structural guarantee this pattern will not repeat.
Not All Privacy Services Work the Same Way
Genuine WHOIS privacy protection works by substituting the registrar’s or a proxy provider’s contact details in place of your own in the public RDAP and WHOIS databases. For this substitution to hold, the registry must explicitly permit it under its ICANN agreement. If the registry’s policy prohibits proxy substitution, your real registration data will appear in RDAP queries regardless of what your registrar charges you for privacy. This is a known failure mode from the last expansion round, and nothing in the 2026 application process has directly addressed it at the policy level. New gTLD domain privacy at the registrar layer is only meaningful when the registry upstream allows it.
How New TLDs Can Expose Your Registration Data
The RDAP transition, pushed aggressively by ICANN through 2024 and 2025, is now largely complete for existing TLDs. New TLDs launching under the 2026 round will be RDAP-native from day one – no legacy WHOIS fallback, no data format inconsistency, just clean machine-readable registration records that are straightforward to query, aggregate, and cross-reference with other datasets. For data brokers, surveillance vendors, and anyone building identity profiles from open-source intelligence, new gTLD domain privacy under RDAP is a significantly weaker proposition than it was under the older system.
The structured nature of RDAP is the core problem. Unlike WHOIS, which returned freeform text that required custom parsing logic, RDAP returns JSON objects with consistent field names that any developer can consume in minutes. Automated harvesting of registrant data across thousands of new TLDs becomes trivially simple once those extensions are delegated. New gTLD domain privacy is not just about whether your name appears in a lookup today – it is about whether the data architecture of a new extension makes it easy to surveil registrants at scale across an entire new wave of domains.
New gTLD Domain Privacy Risks to Watch in 2026
The first risk is fragmentation. With potentially hundreds of new extensions entering the root over the next two years, tracking which ones genuinely support privacy proxy services is a research task most registrants will not perform. New gTLD domain privacy cannot be assumed – it has to be verified at the registry agreement level for each specific extension. Extensions that appear privacy-friendly in the registrar interface may carry upstream data obligations that negate any proxy service you pay for.
The second risk is the brand TLD problem. When a company operates both the registry and registers domains under its own extension, new gTLD domain privacy does not apply in any meaningful sense – the corporate entity controls the registry database and faces no obligation to protect registrant data from itself. The third risk is jurisdictional unpredictability. Many 2026 applicants are based outside the EU, UK, or California – jurisdictions with at least some legal baseline for data protection. A registry operator incorporated somewhere without meaningful privacy law can collect and share registrant data with minimal constraint, regardless of what your registrar does at the front end.
A fourth risk is backend data retention. Even when a privacy proxy successfully shields your contact details from the public RDAP feed, the registry still holds your actual registration data in its backend systems to satisfy ICANN requirements. If that registry is acquired, breached, or served with a legal demand, your real details are in play. New gTLD domain privacy at the registrar layer provides real and important protection – but it cannot insulate you from what the registry itself is obligated to retain. These four risks together make the 2026 expansion a genuinely complex landscape for anyone building an anonymous web presence.
What Privacy-Conscious Registrants Should Do Now
The April 30 application window means new TLDs will not reach the DNS root for another 18 to 24 months at minimum. But the registry agreements being finalised right now will determine new gTLD domain privacy protections for the entire operational lifetime of those extensions. Before registering under any extension that launches in 2027 or 2028, check three things: whether the registry’s ICANN agreement explicitly permits privacy proxy substitution, where the registry is incorporated and what data law governs it, and whether your registrar operates on a genuine zero-data model or is simply reselling a proxy service managed by a third party that holds your real details.
For registrants who prioritise anonymity, the safest approach remains building on extensions with established, tested privacy track records – and pairing that with a registrar that never collects identity data to begin with. Verifying that your existing WHOIS protection is actually working is worth doing right now; a WHOIS lookup on your own domain will show exactly what is currently public. The EFF’s guidance on digital privacy rights provides a useful framework for evaluating any new extension’s data practices as the 2026 expansion unfolds. Registrants in high-risk roles should also review the specific considerations covered in our piece on domain privacy for activists and journalists, since the same threat models apply directly here.
The Bottom Line
The 2026 gTLD expansion is the biggest structural change to the domain name system in over a decade, and new gTLD domain privacy sits directly in its path. New extensions will not all offer equal protections – some registry operators will be genuinely privacy-respecting, others will expose registrant data through policy gaps, jurisdictional mismatches, or RDAP-native disclosure architectures that make bulk harvesting straightforward. Treating each new extension as an unknown quantity until its registry agreement has been examined is not paranoia. It is the only rational approach for anyone who uses domain registration as part of their privacy infrastructure.
The most reliable protection starts by removing your real identity from the supply chain entirely – at the point of registration, before any registry ever sees your data. MonstaDomains offers anonymous domain registration with zero KYC requirements and crypto-only payments, so your identity stays out of the system regardless of which registry operator ends up holding the RDAP record upstream.
Top comments (0)