Originally published at https://monstadomains.com/blog/new-gtld-privacy-protection/
The internet is about to get a lot bigger, and the rules around new gTLD privacy have fundamentally changed. On April 30, 2026, ICANN formally opened the application window for its second round of new generic top-level domains – the first such opportunity since 2012. What matters most for privacy-conscious domain owners is not the sheer number of new extensions expected to emerge from this round, but the new gTLD privacy protection framework that every registry is now contractually required to implement from day one. If you own a domain or are planning to register one, this shift affects you directly.
ICANN Opens the 2026 New gTLD Application Window
The April 30 opening marks the beginning of the biggest expansion of the domain name system since the first new gTLD round launched in 2012. Organisations willing to pay the USD $227,000 application fee can now submit proposals for entirely new top-level extensions – from brand-specific TLDs to geographic, industry-specific, and community-focused extensions. The submission window closes on August 12, 2026. What separates this round from its predecessor is not just scale – it is the embedded new gTLD privacy requirements that every new registry must follow from the moment it goes live.
The first round produced more than 1,200 new extensions including .app, .blog, .shop, and .cloud, according to ICANN’s official 2026 Round information page. This second round is expected to be equally large or larger, with internationalized domain names covering more than 300 languages a central feature for the first time. New gTLD privacy standards in this round are embedded in the foundational contracts, not treated as optional additions that individual registries can skip.
WHOIS Is Dead. RDAP Is the New Standard.
For decades, WHOIS was the public directory for domain registration data. Enter a domain into any lookup tool and the registrant’s name, address, email, and phone number came back – visible to anyone, harvestable in bulk, designed with zero concept of modern privacy norms. That protocol has been formally retired. Every registry operating under the 2026 Base Registry Agreement must implement RDAP – the Registration Data Access Protocol – as the exclusive standard for domain data lookups. New gTLD privacy protection under RDAP is built on a fundamentally different model: restricted access by default rather than open exposure.
From Public Directory to Access-Controlled Protocol
RDAP is not a cosmetic update to the same old public data directory. It changes the architecture of how registration data is exposed. Standard public RDAP queries return only what the registrar has designated as publicly available – typically the domain name itself, registration dates, and nameservers. Sensitive contact data sits behind access controls. Anyone seeking full registrant details must submit an authenticated, structured request. The registrar is then required to evaluate the legal basis for that request before sharing anything. This ends the old model where new gTLD privacy was entirely dependent on whether an individual registrar offered a proxy service. Under RDAP, restricted access is the starting point, not the exception.
The practical consequence for domain owners is significant. Bulk WHOIS harvesting – the technique that fed spam databases, enabled domain hijacking campaigns, and allowed anyone with a scraper to compile lists of domain owners with their home addresses – is no longer viable against RDAP-based registries. New gTLD privacy protection under this model means your contact data is not sitting in a public directory waiting to be collected. For journalists, activists, and anyone who has ever registered a domain under their real name, this is a genuine structural improvement over what existed before.
What New gTLD Privacy Protection Means for Registrants
The new gTLD privacy requirements in the 2026 Base Registry Agreement are contractual obligations, not suggestions. Every new registry that emerges from the current application round must implement RDAP, operate under updated registration data standards, and follow a structured disclosure process for any non-public registrant information. Requests for private data must go through a formal access channel, and registrars are required to assess the legal basis before sharing anything. This is a direct departure from the old WHOIS era, where registrant data was simply public and available to anyone with a terminal.
New gTLD privacy protection under the 2026 framework also encourages minimal data collection at the registry level. Registrars are pushed toward collecting only what is operationally necessary rather than building extensive profiles on every domain owner. The data that does not exist cannot be breached, subpoenaed, or handed to a third party under informal pressure. For privacy-first registrants choosing domains under new extensions, the new gTLD privacy baseline in this round is stronger than anything that applied during the first round or under most legacy TLD contracts.
Privacy Risks the 2026 Round Does Not Fix
New gTLD privacy protection improvements under RDAP do not make every new extension automatically safe for anonymous registration. The 2026 framework sets a minimum floor, not an absolute guarantee. Individual registrars still determine how much data they collect at registration time, what payment methods they accept, and how they respond to informal disclosure requests. A registrar that demands your name, address, and a government ID scan before activating a domain does not become privacy-friendly simply because it uses RDAP for lookups. The data collection problem happens before any RDAP query is ever made.
WHOIS privacy services – where a proxy contact replaces your real details in the registration record – remain relevant even under RDAP. Most registrars still offer this as an option. For new gTLD privacy to mean anything concrete, you need a registrar that defaults to protection rather than treating it as an upsell. That means checking what a registrar’s WHOIS protection policy looks like before you commit to registering through them, regardless of which TLD you are targeting.
What the RDAP Transition Reveals About ICANN’s Direction
The mandatory RDAP requirement for new gTLD registries is consistent with a multi-year shift at ICANN toward privacy-aware policy. The organisation faced sustained criticism after GDPR came into force in 2018, with its longstanding WHOIS policy directly clashing with European data protection law. The 2026 round’s new gTLD privacy requirements represent a structural response to that conflict – building the lesson into the next generation of domain infrastructure from the beginning, rather than applying patches after the fact.
The Electronic Frontier Foundation has argued for decades that online services should collect only the minimum data necessary and that public exposure of private contact information causes direct harm to registrants. The new gTLD privacy framework in the 2026 Base Registry Agreement reflects that principle more closely than any previous ICANN policy. Progress is real, but ICANN’s track record on privacy has been uneven, and the gap between written policy and registrar-level practice is where most of the risk still lives.
New gTLD Privacy Protection in Practice: What to Watch For
As new TLDs emerge from the 2026 round over the coming years, new gTLD privacy protection will vary considerably depending on which registry operates the extension and which registrar you use. Some new registries will be brand-controlled and tightly restricted – registering under a corporate-owned extension is unlikely to offer any meaningful anonymity. Others will be open to the public and function like any generic TLD. The new gTLD privacy standards embedded in the 2026 base agreement apply across all of them, but your practical experience of privacy will depend heavily on your registrar and the nature of the specific extension.
When a new TLD opens for registration, ask three questions before signing up: does the registry require verified identity to register? Does the registrar offer proxy registration or zero-KYC options? Does the RDAP output for that TLD restrict access to contact data by default or expose it publicly? New gTLD privacy protection is strongest when all three conditions favour the registrant. When they do not, you need to compensate through your registrar choice – one that requires no identity documents and accepts privacy-preserving payment methods by default.
Why Your Registrar Choice Still Determines Your Privacy
Even within a well-designed new gTLD privacy framework, the registrar is the entity that actually handles your data. They collect payment information, store contact records, and respond to disclosure requests. The new gTLD privacy rules constrain what registrars can expose publicly via RDAP, but they do not prevent a compliant registrar from collecting more data than necessary, using payment methods that tie your identity to your domain, or cooperating with third-party data requests beyond the legal minimum. A registrar like MonstaDomains – which operates under a zero-KYC model with crypto-only payments and automatic WHOIS protection – closes the gaps that protocol upgrades cannot close on their own. For a deeper look at what registrars are required to hold, see this breakdown of ICANN registration data policy.
What Domain Owners Should Do Before New gTLDs Go Live
The application window runs until August 12, 2026. New TLD delegation typically takes at least a year or two beyond that, so widespread availability of new extensions is still some time away for most registrants. That means the most impactful new gTLD privacy protection decisions you can make right now concern your existing registrar, not future extensions. If the registrar you use today requires identity verification, stores card details linked to your domains, or exposes your contact information without a proxy, changing registrar is a more immediate privacy improvement than waiting for the new TLD wave.
When new extensions do open for registration, treat each one the same way you would any domain purchase: use a registrar that defaults to privacy protection, pay with cryptocurrency where possible, and enable WHOIS proxying as the first step rather than an afterthought. New gTLD privacy protection under the 2026 base agreement gives you a structurally better starting point than previous rounds provided, but it still requires deliberate choices at every step of the registration process.
What This Means for You
The ICANN 2026 round is the most significant domain infrastructure event in over a decade. WHOIS is gone as the public default. RDAP brings access controls and structured disclosure to every new registry born from this application round. New gTLD privacy protection is now a contractual baseline rather than an optional feature, and that is genuine progress worth acknowledging. At the same time, protocol-level improvements only matter when the registrar handling your data is also operating with privacy as the actual priority – not as a marketing claim.
New gTLD privacy protection is strongest when the framework, the registry, and the registrar all align. The framework is now set. The registries are being shaped through 2026. The registrar is the part you control today. Choose one that requires no KYC, accepts cryptocurrency, and includes WHOIS protection as the default rather than the upsell. If you are ready to register a domain with genuine privacy built in from day one, register your domain with MonstaDomains – no identity required, crypto payments only.
Top comments (0)