In the wake of GDPR, public whois records are 100% redacted. There is lots of work going on to attempt to provide the data without violating privacy laws, but no one is there yet.
This came up because today I got email from Tucows asking me to verify and, if necessary, update my whois data. Now, Tucows is the registrar, so they know all of the data. But they sent me this
Gee, thanks. That’s so helpful.
I’ve talked about using privacy protection on domains in the past (here, here, here, here, and here). Short version (if you don’t want to check all the old links) is that privacy protection for commercial domains is bad, that’s what spammers do and legitimate email marketers should not hide domains behind privacy protection services. I still believe all of these things.
What I’ve never really addressed is that I think privacy protection services are appropriate in some cases and are a reasonable protective measure for individuals. Over on Spamresource, Al wrote up a great post today about whois privacy protection.
Sometimes people do need anonymity and privacy online. Trusting a registrar’s privacy protection service is probably not your best bet for that. Like Al, we’ve stood in as a “privacy service” for friends and colleagues. It was our name on the domain registrations, and we could contact the appropriate people as needed. They trusted us to forward only the important stuff and we trusted them not to do bad things. This trust doesn’t scale.
Privacy protection services are used by a lot of bad actors to hide their involvement. Companies and commercial entities are tarring their own reputations using privacy protection services.
No real pull quote here, all of Al’s points are too good. So go read the whole thing.
There’s a lot of discussion going on about just what GDPR requires, and of who, and in which jurisdictions. German organizations in particular have been more aggressive than most about wanting to see opt-in confirmation for years and now seem to be adding “because GDPR” to their arguments.
I’m still not sure how this is going to shake out, but I’m beginning to see list owners take externally visible action.
I’ve been a subscriber for four or five years – it’s a good mailing list, run well, and I doubt it has any delivery issues beyond the unavoidable.
So this is a permission pass solely because they’re not sure whether I’m an EU resident, and aren’t 100% sure their opt-in confirmation data is squeaky clean (I subscribed as part of downloading an app of theirs, but after five years I couldn’t tell you whether that was technically confirmed opt-in or not, and I’m sure they can’t either).
Zoomdata aren’t taking any chances on confirmation. This isn’t a single “click to confirm you want to stay on the list” permission pass, rather it goes to a form that asks whether I’m an EU resident and if I am requires me to check an “Opt-in to email communications” checkbox and then click on a link in a confirmation email.
I’m not an EU resident today but may be an EU resident in the near future – yet my email address won’t change and nor will my mailing list subscriptions. That does make me wonder how valid it is to be capturing opt-in permission solely for recipients who are EU residents today.
Also are non-EU residents likely to claim they live in the EU because they’ll be treated better as far as their privacy is concerned, much the same as telling Facebook or Twitter you live in Germany provides you with better content filters?
I guess I’ll be seeing more of this in my inbox over the next few weeks. How are all y’all handling GDPR compliance?
Al has a post listing some of the bad things some sender representatives do when approaching ISPs for delisting.
One of the things I would add to the list is hiding behind a privacy protected domain registration. No matter how you dice it, having a business domain behind privacy protection makes a company look illegitimate. For any company sending commercial mail, it’s not even an issue as senders are required by law to include an address in every email. With this sort of requirement, it’s not like customers aren’t going to be able to find them.
This is an issue I feel so strongly about, I will not represent senders to ISPs unless they have a valid, unprotected whois registration. I do offer consulting and other services to them, but will not contact the ISPs on their behalf. This is not the reputation I want to create with the ISPs for myself or my other clients.
I challenge anyone who is running a business and using a whois privacy protection service to put the same address in their whois record as is on every email you send out.
I challenge ISPs to stop offering whitelisting, FBL or other services to senders who insist on using whois privacy services.