General Data Protection Regulation (GDPR) will go into effect May 25, 2018.
These changes primarily relate to the registrant’s consent management flow and include the addition of a Data Processing Addendum (DPA), with EU standard contractual clauses to allow data transfer from the EU to non-EU jurisdictions.
We want to let you know that we will be updating our T&C that will take effect on May 25th, 2018 to comply with GDPR. We suggested that all clients, both individual and resellers, review this update. We are making this change to better explain our privacy practice. We encourage that you review the update policy here.
GDPR is short for the General Data Protection Regulation that goes into effect on May 25, 2018. is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.
2. Why are you applying GDPR-related changes platform-wide? I don’t have European customers, and I’d prefer not to have to accommodate these changes.
MochaHost's decision to implement our GDPR-related process changes platform-wide is twofold. First, there are other privacy policies with similarly strict requirements to the GDPR in place today, and it’s expected that more will be introduced as governments around the world are called on to create a policy that properly addresses the privacy concerns of our modern, digital age. It is in our best interest, and that of our resellers and registrants, to prepare for a world of heightened data sharing and privacy standards. Second, MochaHost believes in the principles that the GDPR upholds, and we, along with other key players in our industry, feel that extending the benefits of the GDPR to registrants worldwide is simply the right thing to do.
3. Why does the Data use consent settings page mention Enom? I thought that MochaHost is the registrar?
MochaHost used Enom as the master registrar. Modern privacy laws and regulations, including the GDPR, require service providers to disclose what personal data they are processing, how this data is being held and processed, and by whom it is being processed. In order for us to obtain informed, affirmative consent from registrants to process their personal data, we must be transparent about the fact that Enom is processing some of the data.
4. What is the difference between consent and contract, and why does it matter whether a data element is processed based on contract or consent?
To an end-user, checking a consent box and accepting a contract may feel very similar, but legally these are two distinct concepts. Each one is a separate legal basis with unique applicabilities and limitations. Any data elements that MochaHost or the registry/service provider requires in order to provide a TLD or other product will be processed on a contract basis, meaning they’ll be included in our contractual agreement with the registrant. We do not need to send a consent request to process these data.
Any additional pieces of data, those that are not contractually required but are helpful to have, or have been requested by the registry but not included in their contractual requirements, can only be processed with consent from the registrant. We are also obligated to provide registrants an easy and accessible method to revoke this consent. Our Data use consent settings page accomplishes both of these tasks: collecting registrant consent, and providing them a means to revoke it. Asynchronous services are a special case in this regard because although MochaHost doesn’t require these additional, consent-based data, the registry or service provider does, despite the fact that they have not provided a contractual legal basis for processing them.
Data processed as part of fulfilling our service contract will be kept for the lifetime of the service, plus up to 7 years after the service’s termination.
Any data that we process under the legal basis of consent will be held by MochaHost for the same period as the contract-based data unless that consent is withdrawn, in which case it would be erased at the time of withdrawal of consent. Upon canceling the service, the registrant’s choice to withdraw consent will take effect.
We will continue to comply with ICANN policy to the greatest extent possible, as we have always done. However, until ICANN policy has been updated in response to the GDPR and other similar worldwide data privacy legislation, we will be faced with many instances where the requirements that ICANN lays out for its registrars conflict with our legal obligations. In these instances, we will follow the law first and comply with ICANN as best we can.
1. Why can’t I see real contact information in the public Whois anymore?
Under the GDPR, personal data may be collected and processed only when there is a legal reason to do so. One such justification would be the performance of a contract; another is a situation where the data subject (the person to whom the data pertains) has given explicit consent for their data to be processed or collected. Data can only be shared when necessary to fulfill the intended purpose of the data collection. This means that the public Whois system as it exists today is incompatible with the principles of data privacy that the GDPR affirms.
2. Will the public Whois output still display domain dates, status, nameservers, and sponsoring registrar?
Yes. The technical data (the top section of current the Whois output) will show up in the public-facing lookup.
3. In the gated Whois, what data will be displayed?
Registrant contact data which is held based on contract, or for which we have consent, will be displayed in the gated Whois — unless the domain is privacy-protected. If the domain has ID Protect, the privacy masking data will be displayed both publicly and within the gated Whois.
4. Will the changes to the Whois affect non-EU domain registrants?
Yes. We are applying all Whois-related changes platform-wide, meaning all registrants will receive the same level of data protection regardless of citizenship or location.
5. Will the gated Whois show information for privacy-protected domains?
Access to the gated Whois will only reveal information which was, prior to May 25, 2018, public. It will not reveal the Whois information for privacy-protected domains. In fact, the Whois output for privacy-protected domains will be the same in both the public and gated Whois, and we will continue to require a court order or other legal documentation for access to this information, as we do today.
6. What is the difference between the gated Whois and the domain privacy Whois?
The gated Whois is a portal where accredited third-parties can access “full” Whois information, and the output available here includes personal data that is hidden from the public Whois. However, the Whois output for domains with ID Protect will remain the same as it is prior to May 2018, both in the public Whois and in the gated Whois. This means that contact privacy details, including a contact privacy email, will be displayed for domains with ID Protect in the gated Whois. For a helpful visual snapshot of the difference, click here.
7. How does this affect domain transfers?
We have made some minor updates to how the transfer process is accomplished. We have removed the email standard form of authorization. Instead, we will now simply rely on the EPP code provided by the registrant as the form of authorization for inbound transfers. Additionally, each completed inbound transfer will be treated like a new registration where a registrant verification email will be sent to the registrant email address to verify the accuracy of the domain contact information.
1. What TLDs and products show up on the Data use consent settings page?
When a registrant visits their Data use consent settings page, they will find an up-to-the-minute list of all the active products they have registered, as well as any products which are pending consent before the order can be completed.
2. Why are some TLDs asynchronous while others are synchronous? Why is consent sometimes required and sometimes optional?
The data elements that MochaHost or the GDPR-compliant provider requires are collected and processed under the legal basis of a contract. However, for some TLDs and services, the provider requests additional pieces of data for which there is no legal contractual basis to process. When this is the case, we will ask the registrant for consent to share these additional pieces of data with the provider.
In most cases, even if the registrant should withhold or fail to provide consent, MochaHost is still able to immediately register the domain by sending the registry a combination of the contractual data and placeholders for any data elements that can only be processed with consent. We refer to such services as “synchronous” (com, net, org, etc.) —they can be registered right away, without the use of additional personal data beyond that which is covered in the contract.
For some TLDs, however, placeholder data will not be accepted by the registry, and because we don’t have assurance from the registry that the data will only be used in ways that conform with modern data privacy regulations such as the GDPR, MochaHost cannot in good conscience provide the actual data to the registry without the registrant’s consent. We refer to these types of services as “asynchronous” (certain country code TLDs that require extended attributes like residency in that country for example) — because the service cannot be provided without sharing certain pieces of the registrant’s personal data with the service provider, and there is no GDPR-compliant contract to protect the data, we need the registrant’s permission to share it before we proceed. This permission must be provided in the form of affirmative consent.
3. Why is my customer’s asynchronous domain pre-consented? They haven’t yet provided consent.
To provide an intuitive and transparent experience for the registrant, the consent status for any already active, asynchronous service is set to “yes-consent” by default. This is because the client is considered to have consented to the data processing by purchasing the service prior to these enhanced data protection requirements coming in to effect. Additionally, although consent has not yet technically been provided, an affirmative consent status accurately indicates the current data use settings: the end user's personal data have already been processed and shared with MochaHost and our registry partner(s).
For registrants wishing to revoke consent, a “yes-consent” status also makes the required action very clear: they must uncheck the box and submit, at which point they will be directed to their reseller to complete their request and cancel service. While ideally, we would replace these consent-based data with placeholder data until consent is provided, we are not permitted to do so by the registry, and so the service would need to be canceled in order for the withdrawal of consent to have any real effect.
Please note, that for synchronous services, for which placeholder data are accepted by the registry or service provider, the consent checkbox will always start in an ‘empty’ state and only show a ‘checked’ state indicating that consent was given if the registrant provides consent.