Originally published at https://monstadomains.com/blog/new-gtld-round-2026/
On April 30, 2026, ICANN opens the application window for the new gTLD round 2026 – the first major expansion of the internet’s domain name system since the 2012 program produced over 1,200 new extensions. For businesses, brands, and communities, that sounds like opportunity. For anyone who cares about online privacy, it should read as a warning. The new gTLD round 2026 is not just about more choices in domain suffixes. It is about hundreds of new registries entering the market, each one becoming a fresh point of data collection about who registers what, and why.
The New gTLD Round 2026 Opens on April 30
The application window opens at 23:59 UTC on April 30, 2026, and remains open until August 12, 2026 – a period of just over three and a half months. Any eligible legal entity can apply for its own top-level domain during the new gTLD round 2026: a branded extension like .yourcompany, a geographic string, a community domain, or an entirely new generic suffix that does not yet exist. Based on the 2012 round fee structure, the base application fee runs into the hundreds of thousands of dollars, which filters out casual applicants but not corporations, governments, or well-funded interest groups with specific reasons to want their own corner of the DNS.
Once the window closes, ICANN begins its evaluation process. The new gTLD round 2026 will likely produce hundreds to potentially thousands of new delegated TLDs entering the root zone over the following years. ICANN has confirmed that the TLD Application Management System, known as TAMS, is the platform through which every application will be submitted and processed. According to ICANN’s February 2026 progress update, the organization would not open the window until internal testing of TAMS was complete and its security was confirmed by independent review.
What a New Registry Actually Means for Registrant Data
When a new TLD gets delegated, a registry operator steps in to run it. That registry operator – not ICANN, not your registrar – sets the policies for what data gets collected from every domain registered under that extension. The contracts they sign with ICANN establish minimum standards, but the details that matter most for privacy live in the registry’s own agreements with the registrars that sell domains under their TLD. Those agreements are not always made public, and they are rarely written with the registrant’s interests as the primary concern.
WHOIS Requirements That Still Apply
Even after the post-GDPR reforms to WHOIS, registries participating in the new gTLD round 2026 are still required to maintain registration data under ICANN’s Registration Data Access Protocol, known as RDAP. RDAP replaced the old port-43 WHOIS system but still collects registrant contact information at the point of registration. Whether that data is publicly visible or held behind an access gate depends entirely on the individual registry’s policies. Some will require full public disclosure. Others will follow a gated model where accredited parties can request access. If you are a journalist, activist, or anyone operating online without wanting your real identity attached to your domain, that difference is not minor – it is the line between exposed and protected. A solid WHOIS protection service can shield your contact details regardless of what a new registry chooses to expose by default.
Lessons the 2012 Round Left Behind
The 2012 new gTLD program provides a useful preview of what happens when hundreds of new registries enter the market at once. That round attracted approximately 1,930 applications. Many of the resulting registries built data collection practices aligned with their commercial interests rather than registrant privacy. Some early registries from that expansion shared or sold registrant data with third parties – including marketing firms and data brokers – in ways registrants never anticipated or meaningfully agreed to when they registered their domains.
That history matters now because the new gTLD round 2026 operates under broadly similar contractual structures. The Applicant Guidebook has been updated, but the fundamental architecture remains unchanged: registry operator collects data, ICANN enforces minimum standards, registrant carries the exposure. What changed is scale. Over 1,200 TLDs were delegated after 2012. The new gTLD round 2026 could match or exceed that number. Every additional TLD is another registry entity, another privacy policy to read, and another set of decisions about what happens to your registration data when a government agency or IP law firm sends a request for records.
TAMS and What the Application Window Means for the DNS
TAMS – the TLD Application Management System – is the portal through which every applicant in the new gTLD round 2026 will submit their technical, business, and legal materials. ICANN confirmed that 29 Registry Service Providers had successfully cleared evaluation or were undergoing it as of early 2026. These RSPs are the technical operators that applicants contract to run their registry infrastructure. The choice of RSP directly shapes the data handling practices of the resulting registry, because RSPs build and operate the systems that store all registration records on an ongoing basis.
The new gTLD round 2026 introduces a layer of outsourced infrastructure that most registrants will never think about. When you register a domain under a new TLD launched through this round, your data passes through at least three entities: your registrar, the registry operator, and a contracted RSP. Each entity has its own data retention policies and its own exposure to legal requests from law enforcement, intellectual property claimants, and government agencies. The privacy chain is only as strong as its weakest link, and in a brand-new registry, that weakest link is almost always unknown until something goes wrong.
How the New gTLD Round 2026 Creates New Data Collection Points
Every registry created through the new gTLD round 2026 is an independent data collection entity. Unlike established TLDs with decades of policy precedent and documented track records, brand-new registries are building their data governance from scratch. Some will be well-run and thoughtful about privacy. Many will not be. The commercial incentives for registry operators skew toward collecting and retaining as much registration data as possible, because those records carry value well beyond their operational purpose – value to advertisers, to IP attorneys, and to governments seeking information about who owns which domain.
The Electronic Frontier Foundation has documented at length how domain registration data has been used against activists, journalists, and private individuals – weaponised by law enforcement, surveillance operations, and intellectual property attorneys to identify and target domain owners without their knowledge. The new gTLD round 2026 creates hundreds of new registries, each of which will maintain registration records and respond to legal requests under whatever rules apply in the jurisdiction where they are incorporated. The expansion of the DNS is simultaneously an expansion of the infrastructure that can be used to identify you.
What Registry Operators Are Required to Share
Under ICANN’s current policies, registry operators must provide registration data to ICANN itself, to law enforcement under valid legal process, and to certain third parties under contracted access arrangements. The new gTLD round 2026 does not change those baseline obligations. What it does is create hundreds of new entities subject to them, operating under the legal jurisdictions of wherever each registry operator happens to be incorporated. A registry incorporated in a country with aggressive cross-border data sharing agreements becomes an extension of that country’s surveillance architecture – attached directly to the domain you registered assuming it was private. You can explore what registrant data actually gets exposed in our detailed WHOIS privacy protection guide.
Privacy Policies Are Not Created Equal Across Registries
One of the least-discussed risks in the new gTLD round 2026 is the extreme variance in privacy standards across different registry operators. A branded TLD run by a multinational corporation will have an entirely different data governance framework than a community TLD operated by a small regional non-profit. Neither ICANN’s minimum requirements nor the published Applicant Guidebook mandate that new registries adopt privacy protections beyond a relatively low baseline. The practical responsibility for protecting your identity falls almost entirely on the registrar you choose to register through – not the registry running the TLD itself.
This is precisely why choosing the right registrar matters as much as choosing the right TLD. Registrars that collect minimal data from their customers and provide genuine privacy tools represent the practical layer between you and whatever data practices a new registry operator has quietly adopted. Our breakdown of new gTLD privacy risks covers the structural vulnerabilities that apply across the board. The short version: do not assume a new extension launches with strong privacy built in, because it almost certainly does not.
What Privacy-Conscious Registrants Should Do Right Now
The new gTLD round 2026 will produce a wave of new domain extensions over the next several years. Not all of them will be available immediately – ICANN’s evaluation and delegation process extends well beyond the August 2026 application deadline. But the decisions registrants make when new TLDs first hit the market tend to be the most consequential, because early registrants have the least information about how a new registry actually operates. There is rarely an established track record to consult before committing to a registration under a freshly launched extension.
Before registering under any TLD that emerges from this round, check who operates the registry and in which legal jurisdiction they are incorporated. Read their privacy policy and data retention terms in full before you commit. Understand whether they offer any registrant data protection that goes beyond ICANN’s minimum floor. And regardless of which TLD you choose, use a registrar that provides genuine WHOIS privacy and accepts payment methods that do not link back to your real-world identity. The right registrar is your last effective line of defence when a new registry’s privacy practices turn out to be weaker than they appeared on the surface.
Where to Go From Here
The new gTLD round 2026 is one of the most significant developments in internet infrastructure in over a decade. Hundreds of new TLDs will enter the market, bringing with them hundreds of new registry operators collecting registration data under varying standards of privacy protection. The enthusiasm around new domain options is understandable. The assumption that new TLDs automatically come with strong privacy by default is not justified by history or by the contractual framework ICANN uses to govern registry operators.
Treat every new registry created through the new gTLD round 2026 as an unknown quantity until its data practices are clearly documented and independently verified. Choose TLD extensions with full knowledge of who is running the registry and where they sit legally. And when you do register, do it through a registrar that starts from a privacy-first position. MonstaDomains offers anonymous domain registration with crypto-only payments and WHOIS protection built in – a real advantage as the new gTLD round 2026 reshapes what is available online and who gains access to your registration data in the process.
Top comments (0)