Originally published at https://monstadomains.com/blog/new-gtld-privacy-rules/
Every decade or so, ICANN reshapes the domain name landscape. On April 30, 2026, it opened the application window for its next-generation top-level domain program, and buried inside the Applicant Guidebook are new gTLD privacy rules that change the data exposure equation for every future registrant. This round does not just introduce extensions like .city or .brand. It fundamentally alters how registration data is handled, who can see it, and under what conditions your identity can be disclosed. If you run a website and care about anonymity, these changes matter – even if you are not applying for a new top-level domain yourself.
ICANN Opens the 2026 gTLD Application Window
On April 30, 2026, ICANN formally opened the submission window for what is shaping up to be the most consequential expansion of the domain name system since 2012. Organizations, businesses, and communities have until August 12, 2026 to submit applications. The non-refundable evaluation fee sits at USD 227,000 per application, according to ICANN’s official announcement. Industry analysts estimate between 600 and 1,500 applications will be submitted, with more .brand extensions, more geographic TLDs, and more niche industry-specific domains expected than the 2012 round produced. The first new TLDs from this round will likely go live in late 2027 or early 2028.
To understand why new gTLD privacy matters more in this round than the last, you need to understand what changed in the underlying rulebook. The 2026 Applicant Guidebook is not a cosmetic update of the 2012 version. It rewrites the contractual obligations that every new registry must meet from day one – and the registration data rules have been completely overhauled.
New gTLD Privacy Rules Got a Full Rebuild
The new gTLD privacy framework in the 2026 round is not an incremental update. ICANN’s Registration Data Policy was revised as recently as May 12, 2026, incorporating a board-adopted set of recommendations that changes how registrars handle, store, and disclose registrant information. Two structural changes are driving this shift. First, WHOIS – the decades-old public lookup system that exposed registrant names, addresses, email addresses, and phone numbers to anyone with a browser – has been formally retired in favour of RDAP, the Registration Data Access Protocol. Second, every registry that emerges from this round is contractually bound to implement RDAP from launch day, with no legacy exceptions allowed.
New gTLD privacy protections under RDAP are meaningfully stronger than WHOIS ever offered. Sensitive registrant data sits behind access controls and does not appear in standard public queries. A lookup that previously returned a full contact card now returns technical information only – nameservers, registry status codes, registration and expiry dates – unless the requestor has an established legal basis for accessing more.
RDAP Replaces WHOIS as the Registration Data Standard
WHOIS was never designed with privacy in mind. Built in the 1980s, it was an open-access database that anyone could query to find exactly who registered a domain. For decades, privacy advocates flagged this as a serious exposure risk. Stalkers used it to locate individuals. Data brokers scraped it to build contact lists. Spammers harvested email addresses from it by the millions. ICANN finally drew a line, and RDAP is the replacement it has been building toward for years.
What RDAP Actually Shows Publicly
Under RDAP, the default state for sensitive registrant data is hidden. Standard public queries return technical data only – nameservers, registration dates, expiry dates, and registry status codes. A researcher running a new gTLD privacy lookup will not automatically get a registrant’s name, phone number, or physical address from the results. That represents a genuine structural improvement over the WHOIS era. RDAP is also machine-readable in a consistent format across registrars, which means privacy tools can work with it more reliably than they ever could with the ad-hoc WHOIS output formats of the past.
How RDAP Handles Law Enforcement Requests
The May 12, 2026 update to ICANN’s Registration Data Policy added a specific requirement around urgent disclosure requests. When law enforcement or another party with a recognized legal authority requests non-public registration data, registrars must respond within defined timelines. Requests must go through a structured disclosure process, and registrars are required to assess the legal basis before sharing any data. This is a more accountable system than the informal WHOIS access arrangements of the past – but it is still a disclosure pathway that exists and that all ICANN-accredited registrars must participate in.
The Structured Disclosure Process That Did Not Go Away
It would be misleading to describe RDAP as a privacy shield with no holes. The May 2026 policy update makes the disclosure pathway more formal, not more closed. Accredited requestors – including law enforcement agencies and certain intellectual property claimants – can still obtain non-public registration data. ICANN’s framework requires registrars to respond to urgent requests within a newly codified timeframe. The system is designed to add accountability to data disclosure, but it does not eliminate the risk of disclosure for registrants whose data has been collected.
What this means for new gTLD privacy at the registrar level is straightforward: the gatekeeper role matters enormously. A registrar that complies minimally with every incoming request produces very different outcomes for registrant anonymity than one that rigorously challenges legal basis and jurisdictional authority before sharing anything. The new rules set a floor. How high the ceiling goes depends entirely on who you register with.
What New gTLD Registries Are Now Required to Do
Every organisation that successfully applies in the 2026 round and receives a new TLD will be operating under the 2026 Base Registry Agreement. This agreement is substantially different from the 2012 version. Registries must implement RDAP from day one, comply with the updated Registration Data Policy, and operate their TLD in an open and non-discriminatory manner. That last requirement is new and significant: ICANN has explicitly banned closed generic TLDs. An applicant cannot apply for a generic term and then restrict registration to their own business operations. Every qualifying registrant must have access.
New gTLD privacy protections cannot be selectively applied to corporate registrants while shutting out the general public. Because registries must operate openly, their privacy policies must scale to every registrant type – individual, business, and activist alike. That is a higher bar than many 2012-era registries were ever held to, and it creates a more consistent privacy baseline across the new TLD namespace as it expands.
ICANN Banned Closed Generic TLDs in the 2026 Round
This is one of the least-discussed but most consequential changes in the 2026 Applicant Guidebook. Under 2012 rules, companies could apply for generic terms – like .app or .search – and run them as closed registries serving only their own products. Critics called this the monopolisation of common language on the internet. ICANN responded. In the 2026 round, any applicant for a generic term must operate the TLD openly, accessible to any qualifying registrant on a non-discriminatory basis.
Contention resolution has also been tightened. The 2026 guidebook explicitly prohibits private arrangements to resolve contention between competing applicants for the same string. Only a community priority evaluation or an ICANN-run auction can be used to settle disputes. This matters for new gTLD privacy because private contention deals previously operated without transparency – meaning which organisation ended up controlling a sensitive or widely-used extension was sometimes decided in backrooms rather than through accountable processes.
New gTLD Privacy Implications for Domain Owners
If you are not applying for a new TLD – if you are just a registrant who wants to run a website without handing over your identity – why does any of this matter to you?
The Registration Data Gap in Existing gTLDs
Existing gTLD registrants are not automatically upgraded by the 2026 policy changes. If you registered a domain under .com, .net, or a 2012-era extension, your data sits under the rules that applied when you registered. RDAP is increasingly available across older TLDs, but new gTLD privacy requirements are specifically contractually mandated for registries emerging from this round. The standard may be structurally higher in new TLDs than in legacy ones – a legitimate reason to consider newer extensions for privacy-sensitive projects launching after the first post-2026 TLDs go live.
For any domain you register today – new or legacy extension – the registrar’s privacy posture remains the dominant factor. New gTLD privacy rules govern what the registry must do, not what your individual registrar does when handling your data internally. A registrar that demands identity documents, stores your home address, and accepts only traceable payment methods introduces risks that RDAP simply does not address. The WHOIS lookup layer has improved. The identity collection layer has not, unless you deliberately choose a registrar that decided not to collect it at all.
For background on how ICANN’s registration data requirements have developed over time, our earlier coverage of the ICANN registration data policy remains a useful reference point for understanding the regulatory history behind these 2026 changes.
What You Should Do Before Registering a New gTLD Domain
New gTLD privacy rules establish the regulatory framework. Your individual choices determine the actual outcome. Three practical steps apply right now, regardless of whether the specific extension you want is available yet.
First, choose a registrar that does not collect what it cannot be forced to share. New gTLD privacy rules at the registry level cannot protect you if your registrar is sitting on a database full of your KYC documents, real name, and physical address. Zero-collection at the registrar level means zero-disclosure risk at the registrar level. That is the only version of privacy that holds under sustained legal pressure.
Second, apply WHOIS privacy protection to every domain you register regardless of TLD. Even as RDAP becomes the dominant standard, many query tools still reach older WHOIS endpoints for legacy data. Masking your registration details at the source ensures that whatever older lookup systems surface about your domain, your real contact information is not among it.
Third, run your own check. Use a WHOIS lookup tool after you register any domain to see exactly what data is publicly visible. What you see is what a data broker, stalker, or law enforcement agency sees before making a more formal request. If anything surfaces that should not be there, address it with your registrar immediately rather than assuming the problem will resolve itself.
The Bottom Line
Three things are true simultaneously about the 2026 ICANN application round. New gTLD privacy rules are the strongest ICANN has ever written into its registry agreements – RDAP is a genuine improvement over decades of WHOIS exposure, and the prohibition on closed generics finally closes a loophole that let corporations monopolise common language on the internet. But the structured disclosure pathway still exists. And it is the registrar – not the registry – that ultimately determines whether your identity is protected when a request arrives.
Whether you are registering under a legacy extension today or waiting for a 2027-era new TLD to launch, the decision that matters most is who holds your registration data. A registrar that never collects your identity in the first place cannot be compelled to share it. That is the privacy baseline worth demanding – and it is available right now, not in 2028.
If you want to register a domain without handing over your identity, MonstaDomains operates with zero KYC requirements, crypto-only payments, and WHOIS protection built in by default. The new gTLD privacy overhaul is a meaningful step forward for the industry. You do not have to wait for the next TLD wave to start registering privately today.
Top comments (0)