MENU
  • Enom.com
  • Resellers

Enom Blog

November, 2017
Archive

  • How will the GDPR impact Whois?

    November 23, 2017

    Announcement, Featured, GDPR, Industry Insight

     Like

    Views: 18477

    In the weeks since my last update, a lot of behind-the-scenes work has gone on for our GDPR implementation project. One aspect of this project, which we can now share more specific information about, concerns changes to the Whois system. I also have some details around how collecting and processing data will influence both our Reseller Agreement and resellers’ own end-user service agreements (and we’ll share some recommendations on that). The information here is geared towards those who resell Enom services, but our clients who have registered a domain directly with us may also find it helpful.


    Update: March 6, 2018

    Before we dive into Whois changes, I want to go back to something that was mentioned in our initial GDPR post – to whom does the GDPR apply? At the time, we were proceeding on the basis of applicability by citizenship, meaning that the GDPR would apply to EU Citizens. Since that post went live, however, our legal analysis has led us to interpret the GDPR as applicable to any individual residing in the EU, regardless of their citizenship. Even more recently, we made the decision to work toward a unified implementation plan that will extend the same heightened privacy protections to all Enom reseller partners and end-users, regardless of their location. Learn more about our GDPR approach.


    Changes to Whois

    The Whois directory is a powerful tool. You can look up who owns a domain to find their phone number, email, even their postal address. You can check when a domain was first registered, where it’s hosted, when it expires — that’s a lot of information available with just a few clicks. And because this system has been around for so long, and is such a fundamental aspect of the internet, we often assume that how it currently works is how it should work. But just because something has been a certain way for a long time doesn’t mean it must always be that way, and the GDPR’s looming deadline has prompted the re-examination of many processes and policies.

    Instead of “how have we always done this?”, we’re asking questions such as “what’s the best way to do this?”,  “what information is it truly necessary to include?” and “is there a legitimate legal basis for this process?”

    What will change?

    The GDPR was drafted and brought into law without consideration for its effects on the domain name industry, leaving us to interpret how this regulation applies to our world. One particularly impactful section of the GDPR is Article 5, which lays out “principles relating to processing of personal data.” This is highly relevant to the Whois system, which is essentially just a repository of data, much of which is personally identifiable information about individuals. Warning: we’re going to briefly venture into the legal thicket here, but bear with me!

    Under the GDPR, personal data may be collected and processed only when there is a legal reason to do so. For example, one such justification would be the performance of a contract; another is a situation where the data subject (the person to whom the data pertains) has given explicit consent for their data to be processed or collected.

    The principle of data minimization requires that the data collected be relevant and limited to what’s truly necessary to carry out the agreed-upon purpose for which the data is being collected. To add to this, the principles of purpose limitation and confidentiality limit the handling of personal data such that it cannot be processed or shared for any purpose other than that to which the individual initially agreed.

    Simply put, under the GDPR:

    1. We can only collect the minimum amount of data necessary to perform a specific action (e.g. register a domain)
    2. Data can only be shared when there’s a legal basis to do so
    3. Data can only be shared when necessary to fulfill the intended purpose of the data collection

    So how will this impact Whois? Well, it’s certainly difficult to argue that there’s a legal basis for openly sharing contact details of a domain’s owner, administrator, or technical contact in the public Whois record. And we can’t claim that it helps to accomplish the original purpose for which the information was collected (registering the domain). This means that the public Whois system as it exists today is incompatible with the principles of data privacy that the GDPR affirms.

    All that being said, the GDPR recognizes that there are times when there is a real, justifiable need for a third party to obtain personal data, such as domain ownership information, and these “legitimate interests” are also provided for within the policy. Think about, for example, an intellectual property lawyer who wants to know the owner of a domain in order to submit a trademark dispute, or a law enforcement officer tracking down the people behind a phishing scheme; they should be able to find out who owns the domain name under investigation. We need some way for Whois information to be provided to the people and organizations who have a legitimate reason for requesting it — but one that doesn’t involve publicly exposing this sensitive data by default.

    A different kind of Whois

    This leads us to one of the biggest domain industry changes prompted by the GDPR: a gated Whois system.

    Not all parts of a domain’s Whois record constitute personal data. The registrar information, initial registration, last update and expiry dates, domain status, and nameservers will all remain publicly available as they are today.

    The registrant information — name, organization, address, phone number, and email — is personal data that can no longer be published in the public Whois. Instead, we plan to provide authenticated access in a specific and limited manner, so that those with legitimate reason to request personal data can access the information they require while the privacy of individuals remains protected.

    We’ve summarized changes to the Whois output in a quick PDF:  

    Don’t worry — this basic user data will still be visible to resellers through the Reseller Control Panel. As we work out the legalities, which will include updates to our Reseller Agreement, we’ll keep you updated.

    Do we still need Whois ID Protect?

    Absolutely.

    Regardless of any changes to the Whois system, Whois Privacy will remain a valuable service to registrants worldwide. Even when the public Whois “goes dark”, it is certain that there will still be a gated Whois, where registrant data will be made available to parties with a legitimate interest. So, while the audience for registrant data may no longer be the entire public, it will still be sizable. This is where Whois Privacy comes in — if privacy is active on a domain, the personal data in the registration record will remain protected from those with access to the gated Whois. The service also provides a way for third parties to contact the domain owner via the privacy service email address displayed in the Whois output, an option that will not be provided as part of GDPR data protection. In addition, the personal data associated with a domain that is protected by Whois privacy will not be shared with registries.

    Now, there will always be the occasional, ostensibly savvy registrant who’s tempted to simply supply false information, seemingly avoiding the need for Whois ID Protect altogether. This is something we would never suggest. For legal reasons, ownership disputes being one example, it’s important that the domain contact information be accurate. Additionally, the registration agreement that all domain owners accept as part of registering a domain through an Enom Reseller confirms that all information provided will need to be accurate, current, and reliable. These are ICANN imposed conditions, and registrants risk having their domain suspended or canceled if these requirements are not met.

    Reseller changes coming in the new year

    All this talk about new restrictions on data processing and collection, and the various process changes they entail, brings me to my final point: how will it all impact you, our resellers? In the lead-up to May 2018, we’re doing as much as possible on our side to minimize the changes you have to make on yours. But despite all our best efforts, there will inevitably be things you need to do as a reseller.

    This involves another (even briefer) journey into the legal thicket. According to our interpretation, Enom is a data controller (we determine “the purposes and means of the processing of personal data”) for specific data elements: registrant first and last name, organization, email address, and country. This is all the information we require in order to enter into the registration agreement with the domain owner. For all other data elements (e.g. address, phone, and fax numbers, among others), we are simply a data processor. The difference here is that we are handling this data on behalf of either the registry or the reseller, without actually requiring it ourselves. For example, we don’t need a registrant’s physical address to provide them with a domain name, but you may require it for billing purposes. Various data requirements will also exist at the registry level. As a data processor, we store and transmit this information on behalf of both registries and resellers, and in order for the exchange of all this information to occur, it must be covered in a GDPR-compliant agreement.

    To that end, one thing that is definitely coming is an update to our Reseller Agreement — we need to add some information around what we require as a data controller, as well as the changes mentioned earlier, which will remove any concern around resellers accessing clients’ personal data in the Control Panel.

    As a reseller, you’ll want to work with your own legal team to review your customer agreements and work through any changes that may need to be in place before that May 25th deadline. We’ll also have some recommended language for resellers to include in end-user service agreements, so stay tuned.

    What’s next?

    Next month’s GDPR update post will focus on how we plan to request consent from individuals for the use of their personal data. Until then, we’ll continue working hard on our implementation. As a reseller, you can use this time to seek your own legal advice, and think about what information you’re collecting from customers — how does it align with the GDPR’s principles of data minimisation, purpose limitation, and confidentiality?

    You can wrap your head around the basics, and find helpful context on our GDPR page. Our previous blog post also highlights some fantastic resources that outline emerging GDPR best practices. And finally,  we encourage you to sign up for our GDPR newsletter so you don’t miss a thing!


    Learn more about the GDPR:

    GDPR Updates – Understand Enom’s approach to the policy

    • GDPR-Related Contract Changes (Published on Mar. 5, 2018)
    • The GDPR’s Right to Be Forgotten (Published on Jan. 18, 2018)
    • Consent and the GDPR (Published on Dec. 21, 2017)
    • The GDPR Overview (Published on Oct. 30, 2017)

    GDPR Resources – View third-party resources on a specific GDPR topic

    • Right-to-be-forgotten-related resources (Published on Feb. 1, 2018)
    • Consent-related resources (Published on Jan. 4, 2018)
    • Whois-related resources (Published on Dec. 7, 2017)
    • GDPR Basics & Best Practices Resources (Published on Nov. 9, 2017)

    Read More

  • The nTLD Reseller Starter Guide: Which new gTLDs should I offer?

    November 14, 2017

    Uncategorized

     Like

    Views: 8379

    If you currently sell or are considering selling domain names as part of a business, you may have asked this question to yourself before. The huge variety of gTLDs out there can turn the task of curating a lineup that makes sense for your business into a rather daunting undertaking. Instead of getting bogged down by all the variables that could weigh into your final decision, I suggest you focus on the handful of key considerations that really matter. The questions below will help you better evaluate TLDs and equip you to make smart choices as you expand or refocus your offering. And in case you still feel stuck, we’ve included a list of extensions you might consider.

    Is the TLD easy to implement?

    Most of the new gTLDs fall into the “easy-to-implement” category, free to be registered by anyone, anywhere, much like a .COM. Others have strict registration requirements, such as a local presence in their associated geographic area, or an affiliation with a particular professional group. If you ever need to verify whether an extension you’re considering is restricted, take a quick look at our TLD reference chart.

    The TLDs we’ll highlight in this post are all easy to implement, but that’s not to say you should steer clear of those that are restricted. In fact, offering restricted TLDs can be a great way to cater to a niche market. For example, many firms might find the credibility of a .LAW extension advantageous. Similarly, the appeal of geoTLDs like .NYC, .BARCELONA, or .BERLIN among local citizens make them a great choice if you attract a significant volume of customers in any of these cities. If you think you’re likely to sell a high volume of a certain restricted extension, the payoff may well be worth the extra implementation efforts involved. It really comes down to knowing your audience and presenting them with options they are likely to find meaningful.

    Is there a high level of interest in the TLD?

    Unless you’re catering to a highly specific market, you’ll benefit from starting with TLDs that have wide appeal. This appeal can be generated by both the generic nature of the extension (.WEBSITE or .ONLINE), or its specificity (.CLOUD, .BLOG, .SHOP, .STORE or .DESIGN). Note that each of those last five extensions has an unambiguous meaning that resonates with a huge number of potential buyers.

    This doesn’t mean a small TLD offering shouldn’t include more niche extensions. Again, the level of interest your customers show for a particular TLD will always depend on who your customers are. I had a musician friend, for example, that was thrilled to launch her new business with a .STUDIO name. And I’m willing to bet there are a lot of artists out there who might be open to a similar departure from the traditional, more corporate-sounding extensions.

    Does the pricing make sense?

    Most potential nTLD buyers compare new possibilities to .COM alternatives. So presenting them with fresh, viable options in a similar price range is smart. There are many solid performers, with broad applications, that fall into this category. Of course, this isn’t to say that a high price tag should deter you from offering an extension that seems particularly well-suited to your customer base.

    It’s also not just the initial purchase price you should be aware of. Simple and predictable pricing structures are an important factor in building an enduring customer base. So while offering TLDs with substantial first-year discounts might translate into increased registrations, you could find yourself unpleasantly surprised by relatively low renewal rates. A customer who purchases a domain on promotion might not be put off by a slightly higher renewal fee. But there are numerous registries that present enticing first-year TLD price tags in the .COM range, with renewal fees that might be 10x greater. These kinds of discrepancies not only deter savvy buyers from making the initial purchase, and put a dent in your renewal rates, but also place you at risk of angering customers who are caught totally off guard by the increase.

    In short, it’s advantageous to offer first-year promotional prices, as they can be a real incentive to potential buyers. But it’s also important to make sure you’re transparent about the renewal price, displaying it clearly within your purchase flow. For those who sell domains as a part of a larger bundle or package, the renewal price, and the margin it allows for, should be factored into your pricing structure.

    Is the renewal rate and customer quality fairly high?

    It’s been a few years since the launch of the first nTLDs, which means we’re now in a much better position to evaluate their long-term potential. When determining the value of a new extension, look into its renewal rate and whether its registrations are, generally, being used in a meaningful way. Arguably, there’s a link between the two.

    That latter point is what I mean by “customer quality”. If you’re a hosting provider or CMS business, you stand to make more money off customers who are actually using their domains. They’re certainly far more likely to show interest in email, SSL and hosting services. They’re also more likely to renew. Not to mention, there’s a case to be made that websites that have valuable content, and employ a new TLD, effectively function as an advertisement for the extension itself. That certainly can’t hurt an extension’s organic growth over time.

    In this regard, .BLOG is a standout – according to ntldstats, only 27% of its registrations are “parked”, a term applied to any domain “in use as a parking page [displaying ads], or without any content.” To put this number in perspective, the average parked page percentage for the TLDs we highlight in the chart below is roughly 53%.

    Still feeling a little lost?

    That’s fair! The paradox of choice is a powerful thing. Here are some suggestions that might serve as good place to start. Judging them based on the checklist above, these TLDs don’t necessarily score high across the board, but they are all easy-to-implement and offer the potential to target a sizable audience – some because of their generic nature and global recognizability, and others because of their appeal to a specific, but substantial, market.

    To reinforce my early point: while we haven’t focused on geoTLDs in this post, they represent a sizable portion of the nTLD pie. Depending on your target market, they can be incredibly profitable.

    If you’re ready to explore what options might work best for your business, you can view all available TLDs at enom.com.

    Read More

  • GDPR Resources: Basics & best practices

    November 9, 2017

    Featured, GDPR, Industry Insight

     Like

    Views: 8347

    Business woman considers the GDPR in front of parliament building in Brussels

    If you’re anything like me, you’ve spent the days since our first GDPR blog post thinking nonstop about the policy’s potential impacts on the domain world. Okay, maybe you have other things to do with your time… But luckily, there are a lot of great minds at work on this issue. This week, I’d like to share a few links that give some useful background information and starting points as you think about what the GDPR means for you and your business.

    1. IAPP: Top 10 Operational Impacts of the GDPR

    The International Association of Privacy Professionals wrote ten articles looking at different aspects of the GDPR. I particularly liked their review of what Consent looks like under the GDPR and their Consequences for GDPR Violations piece really brought home just how much this new regulation overshadows other data privacy-laws, including the EU’s previous Data Protection Directive, in terms of its scope and enforcement mechanisms.

    2. ICANN: Data Protection/Privacy Issues

    ICANN is the global nonprofit organization that coordinates the technical and operational services of the internet. This page on ICANN’s website lists various data privacy-related projects, including information and resources about ICANN’s work related to the GDPR. Especially of interest are the October 18 blog post and the November 2 announcement from the Contractual Compliance team; the blog post acknowledges that the GDPR will affect how Whois is displayed, and the November 2 statement talks about how contractual obligations will be handled in a post-May-25-2018 world. Both are important starting points in understanding how aspects of the industry are likely to change under the GDPR; ICANN and the organization’s larger community have yet to determine a consistent, official approach to responding to the challenges presented by the policy.

    3. GeoTLD.Group: GDPR Info Page

    As its name might suggest, this not-for-profit represents the interests of the various registries that operate geographic top-level domains worldwide. The GeoTLD Group has put together several useful reports and presentations about the GDPR, including a review of best practices from registries that already follow similar regional data-privacy laws. They also conducted a general survey of the domain industry which provides insight into the policy’s impact on domain-related businesses and what measures these companies are incorporating into their implementation plans.

    Ultimately, I find it reassuring that so many different groups are thinking about what changes might be needed for compliance with the GDPR. Getting your business ready can seem like a daunting task, but seeking legal counsel and familiarizing yourself with the basic concepts will ensure that you’re prepared. You can subscribe for updates and helpful resources on our GDPR page.


    Learn more about the GDPR:

    GDPR Updates – Understand Enom’s approach to the policy

    • GDPR-Related Contract Changes (Published on Mar. 5, 2018)
    • The GDPR’s Right to Be Forgotten (Published on Jan. 18, 2018)
    • Consent and the GDPR (Published on Dec. 21, 2017)
    • How will the GDPR impact Whois? (Published on Nov. 9, 2017)
    • The GDPR Overview (Published on Oct. 30, 2017)

    GDPR Resources – View third-party resources on a specific GDPR topic

    • Right-to-be-forgotten-related resources (Published on Feb. 1, 2018)
    • Consent-related resources (Published on Jan. 4, 2018)
    • Whois-related resources (Published on Dec. 7, 2017)

    Read More

FEATURED POSTS

  • How to Win by Treating Your Customers as Members

    August 13, 2020

  • A Great Domain for Freelancers and Entrepreneurs? Try .ME

    June 22, 2020

  • Bandzoogle: website builder for musicians

    June 1, 2020

  • security lock and credit cards on keyboard

    Avoiding COVID-19 Cyberattacks with Security Best-Practices

    April 28, 2020

CATEGORIES

  • Advice
  • Announcement
  • Developers
  • DNS
  • Featured
  • Fun
  • GDPR
  • Industry Insight
  • New TLDs
  • News
  • Premium Domains
  • Promotion
  • Resellers
  • Roadmap
  • SSL
  • Uncategorized
  • WTB

ARCHIVES

  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • September 2018
  • August 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • January 2016
  • December 2015
  • November 2013
Support

Report Abuse
Help Center
Contact Us

Resources

WHOIS Lookup
Maintenance Alerts
Developers
Products & Services

Domain Name Search
Premium Domains
Web Hosting
SSL Certificates
Website Builder
Basic Email
Bulk Tools

© 2021 Enom Blog |