ICANN: Critical changes to Domain Name Ownership from August 21, 2025
Critical domain ownership changes are coming August 21, 2025. ICANN’s new Registration Data Policy fundamentally alters how domain ownership is determined—if your domain registration includes a company name in the Organization field, that entity will automatically become the legal owner instead of the individual registrant. This shift affects millions of domains worldwide and requires immediate attention to prevent unintended ownership transfers.
ICANN (Internet Corporation for Assigned Names and Numbers) serves as the global custodian of the internet’s domain name system. Founded in 1998 as a non-profit organization based in the United States, it undertook the critical mission of managing the Domain Name System (DNS) and allocating IP addresses. Unlike traditional international organizations such as the International Telecommunication Union (ITU), ICANN operates through a unique “multi-stakeholder” model, where governments, the private sector, academic community, and users collaborate in internet governance.
ICANN’s importance is decisive: every domain name registered worldwide is subject to the rules and policies established by the organization. For businesses and professionals who increasingly rely on their digital presence for international transactions and e-commerce, ICANN’s decisions have a direct impact on their digital assets. You can find more information about ICANN’s founding and political dimension here.
The most critical aspect of the new policy concerns the hierarchy of ownership data. According to paragraph 6(6)(2) of the RDP, if the “Organization” field in the registrant’s details contains the name of an organization or company, that organization will automatically be considered the legal owner of the domain. The individual listed in the contact details will now be treated only as a point of contact, without ownership rights.
This change reverses the existing practice where the registrant’s first and last name determined ownership. For example, if a company director has registered the business domain in their name but has filled in the company name in the “Organization” field, from August 21st the company will automatically become the domain owner, regardless of the individual’s name.
Particular attention is required in cases where entrepreneurs have registered domains in their personal name for convenience or control purposes, but have entered the company name in the “Organization” field. After August 21, 2025, these domains will pass to company ownership, creating potential complications in cases of shareholder departures, sale of shares, or corporate disputes.
Additionally, this change affects the domain transfer process. Any modification to the “Organization” field will automatically trigger a change of registrant procedure, requiring email verification. Failure to complete verification within the specified timeframe can lead to domain suspension, with catastrophic consequences for business operations.
The RDP introduces significant restrictions on the collection and publication of personal data. Mandatory fields for administrative and billing contacts are abolished, while technical contacts become optional and can be generic email addresses. Importantly, Organization details will not appear in public WHOIS unless the holder gives explicit consent. This approach aligns with the principles of data minimization and privacy protection provided by GDPR, ensuring that only absolutely necessary information is collected and processed.
If the intention is personal ownership, the “Organization” field must remain empty. Conversely, if corporate ownership is desired, you must ensure that the company name is correctly registered.
Particular attention is required for domains used for investment purposes or as part of a personal portfolio. The presence of a company name in the “Organization” field can create unwanted legal obligations and/or problems.
First, the obligation to collect Administrative, Billing, and Technical Contact fields is completely abolished. From August 21, 2025, registrars will collect exclusively the “minimal data set” limited to the absolutely necessary Registrant details. This simplification aligns with GDPR’s data minimization principles, while reducing the administrative burden for businesses maintaining multiple domains.
Second, and perhaps more critical from a business perspective, registrars are required to permanently delete all historical Administrative, Billing, and Technical contact data held in their systems.
Third, the Technical Contact becomes an optional field and can now be filled with generic email addresses, such as “support@example.com“, instead of specific employees’ personal details. This flexibility helps businesses maintain stable contact points regardless of internal personnel changes.
For legal professionals and domain management specialists, the transition to RDAP means that access to non-public registration data now requires identity verification and documentation of legitimate interest. ICANN has introduced the Registration Data Request Service (RDRS) as a pilot program to facilitate such requests, particularly for law enforcement, intellectual property protection, and cybersecurity cases. This change creates new procedural requirements for obtaining information in cases of domain disputes or investigations into trademark infringements.
The new rules also introduce standardized procedures for bulk domain transfers (Bulk Transfer After Partial Portfolio Acquisition – BTAPPA), with a maximum charge of $50,000 for portfolios over 50,000 domains. At the same time, the list of valid reasons for transfer denial is being updated, including explicit reference to DNS abuse cases as defined in ICANN’s soft law. These changes are expected to significantly simplify transfer procedures while reducing the risk of fraud and abuse.
ICANN’s importance is decisive: every domain name registered worldwide is subject to the rules and policies established by the organization. For businesses and professionals who increasingly rely on their digital presence for international transactions and e-commerce, ICANN’s decisions have a direct impact on their digital assets. You can find more information about ICANN’s founding and political dimension here.
The New Registration Data Policy
The Registration Data Policy (RDP) coming into effect on August 21, 2025, represents the most significant restructuring of domain name ownership data management since 2018. This policy is not merely a technical adjustment, but a comprehensive overhaul affecting how the legal owner of a domain name is determined.The most critical aspect of the new policy concerns the hierarchy of ownership data. According to paragraph 6(6)(2) of the RDP, if the “Organization” field in the registrant’s details contains the name of an organization or company, that organization will automatically be considered the legal owner of the domain. The individual listed in the contact details will now be treated only as a point of contact, without ownership rights.
“6(6)(2) The Registrant Organization will be considered the Registered Name Holder.”
The Impact on Ownership
From a legal perspective, this change raises significant issues requiring immediate attention. Under Cypriot law, domain names are treated as intangible assets with substantial commercial value. The automatic transfer of ownership from an individual to a legal entity can have implications for contractual relationships, corporate agreements, and even in cases of divorce or inheritance.Particular attention is required in cases where entrepreneurs have registered domains in their personal name for convenience or control purposes, but have entered the company name in the “Organization” field. After August 21, 2025, these domains will pass to company ownership, creating potential complications in cases of shareholder departures, sale of shares, or corporate disputes.
Additionally, this change affects the domain transfer process. Any modification to the “Organization” field will automatically trigger a change of registrant procedure, requiring email verification. Failure to complete verification within the specified timeframe can lead to domain suspension, with catastrophic consequences for business operations.
GDPR & Data Protection and Transparency
The new Registration Data Policy is a direct result of the implementation of the General Data Protection Regulation (GDPR) that came into effect in 2018. ICANN was forced to redesign the WHOIS system, which traditionally published all personal details of domain name holders freely, in order to comply with the strict requirements of the European regulation.The RDP introduces significant restrictions on the collection and publication of personal data. Mandatory fields for administrative and billing contacts are abolished, while technical contacts become optional and can be generic email addresses. Importantly, Organization details will not appear in public WHOIS unless the holder gives explicit consent. This approach aligns with the principles of data minimization and privacy protection provided by GDPR, ensuring that only absolutely necessary information is collected and processed.
Practical Guidelines
Domain name holders, technicians, and administrators must take immediate action to protect their digital identity. We recommend immediate review of all registered domains and checking the “Organization” field.If the intention is personal ownership, the “Organization” field must remain empty. Conversely, if corporate ownership is desired, you must ensure that the company name is correctly registered.
Particular attention is required for domains used for investment purposes or as part of a personal portfolio. The presence of a company name in the “Organization” field can create unwanted legal obligations and/or problems.
Other Important Technical Changes
Beyond the critical change in ownership determination, the Registration Data Policy introduces three additional technical changes that directly affect domain name management.First, the obligation to collect Administrative, Billing, and Technical Contact fields is completely abolished. From August 21, 2025, registrars will collect exclusively the “minimal data set” limited to the absolutely necessary Registrant details. This simplification aligns with GDPR’s data minimization principles, while reducing the administrative burden for businesses maintaining multiple domains.
Second, and perhaps more critical from a business perspective, registrars are required to permanently delete all historical Administrative, Billing, and Technical contact data held in their systems.
Third, the Technical Contact becomes an optional field and can now be filled with generic email addresses, such as “support@example.com“, instead of specific employees’ personal details. This flexibility helps businesses maintain stable contact points regardless of internal personnel changes.
* Exceptions: Some country-code TLDs and specialized domains may have different requirements. The policy applies to all generic TLDs (.com, .net, .org, etc.) but certain extensions like .asia may maintain additional contact requirements.
From WHOIS to RDAP
Alongside the changes in the Registration Data Policy, ICANN completed the final retirement of the WHOIS protocol on January 28, 2025, replacing it with the modern Registration Data Access Protocol (RDAP). WHOIS, which had been operating since 1982, had significant weaknesses: lack of data standardization and inability to support international characters. RDAP addresses these challenges by providing structured data in JSON format, mandatory use of HTTPS, and the ability for tiered access based on the requester’s identity.For legal professionals and domain management specialists, the transition to RDAP means that access to non-public registration data now requires identity verification and documentation of legitimate interest. ICANN has introduced the Registration Data Request Service (RDRS) as a pilot program to facilitate such requests, particularly for law enforcement, intellectual property protection, and cybersecurity cases. This change creates new procedural requirements for obtaining information in cases of domain disputes or investigations into trademark infringements.
Upcoming Reforms to Domain Transfers
Beyond the immediate changes of the Registration Data Policy, ICANN is preparing significant reforms to the Transfer Policy expected to take effect within 2026. The most significant change concerns the reduction of the lock period from 60 to 30 days, both for new registrations and for transfers between registrars. Additionally, the 60-day lock that applied after changes to registrant details is being completely abolished, a development that significantly facilitates domain portfolio consolidation and corporate restructuring.The new rules also introduce standardized procedures for bulk domain transfers (Bulk Transfer After Partial Portfolio Acquisition – BTAPPA), with a maximum charge of $50,000 for portfolios over 50,000 domains. At the same time, the list of valid reasons for transfer denial is being updated, including explicit reference to DNS abuse cases as defined in ICANN’s soft law. These changes are expected to significantly simplify transfer procedures while reducing the risk of fraud and abuse.
💡 Critical Dates:
- May 28, 2025: Email notifications begin
- August 21, 2025: Official implementation of new policy
- After 8/21: Permanent deletion of old contact data
Conclusion
ICANN’s new Registration Data Policy signals a new era in domain name management. Understanding and timely adaptation to the new requirements is not simply a matter of technical compliance, but a critical issue for protecting domain names. The deadline of August 21, 2025 is approaching.Further Reading on Digital Governance and Technology Policy
For readers interested in exploring broader themes of internet governance, data protection, and digital market regulation, I invite you to explore my other articles. These pieces examine critical intersections between technology, law, and corporate power:
- ICANN’s Registration Data Policy: Critical Domain Ownership Changes (Greek Version): The comprehensive Greek edition of this article provides additional context on ICANN’s historical development and its impact on the European digital landscape.
- The Consent Paradox: How EU Regulations Enabled Corporate Data Harvesting: A critical examination of how GDPR’s cookie consent requirements inadvertently created a surveillance infrastructure controlled by 8–10 Consent Management Platform companies, demonstrating how privacy regulations can paradoxically expand data collection capabilities.
- Apple v. Pepper: Robbing Developers of Their Autonomy: An analysis of the landmark U.S. Supreme Court case addressing whether iPhone users can sue Apple for monopolistic practices in the App Store, exploring the implications for developer independence and digital marketplace competition (Greek Version).
- Facebook Welcomes Us to the Post-Data Era & Why GDPR is Dangerous Nonsense: A provocative critique of GDPR’s fundamental limitations, arguing that traditional data protection frameworks cannot address the sophisticated data inference capabilities of modern platforms and the emergence of “post-data” surveillance techniques (Greek Version).
- When the GDPR Goes Wrong: A case study examining the Cyprus Data Protection Authority’s misapplication of GDPR to labor relations, illustrating the dangers when data protection authorities exceed their mandate and attempt to regulate matters beyond privacy concerns.
- The Founding of ICANN: A Historical and Political Approach: An in-depth exploration of ICANN’s creation in 1998, examining the political forces that shaped internet governance and the ongoing tension between technical administration and geopolitical interests (Greek Version).