GoDaddy has thrown its considerable weight behind a legal challenge that pits the fight against online fraud squarely against long-standing efforts to shield ordinary internet users from exposure. The world’s largest domain registrar warns a Delhi High Court directive could force fundamental changes to how website addresses are bought and managed. Not just in India. Everywhere.
The December 2025 order arose from complaints by more than 20 major brands. Amazon, McDonald’s, Microsoft, Xiaomi and Colgate-Palmolive among them. They told the court that fake sites impersonating their names served as engines for large-scale deception. Indian authorities had already blocked more than 1,100 such domains. The problem was real. In 2023 alone India recorded 2.4 million cyber fraud complaints totaling $2.4 billion in losses, according to government data cited in court filings.
But the remedy, GoDaddy argues, creates fresh dangers. The directives ban privacy protection as a default feature for new registrations. They require registrars to hand over a buyer’s name, address, phone number and email to anyone demonstrating a legitimate interest. All within 72 hours. They also bar registration of any domain name that merely varies a protected trademark. Commercially destabilising. That is how GoDaddy describes the package in its court papers. The filings run more than 5,000 pages.
The company, which manages some 80 million domains and counts India as a key growth market, has taken the matter to a larger bench of the Delhi High Court. A hearing is scheduled for July 16. Rivals Namecheap and Hosting Concepts have joined the appeal. Their shared fear? A single country’s ruling could rewrite rules for the entire global domain system.
Domain names do not respect borders. A decision in Delhi can ripple outward. GoDaddy says compliance would compel it to alter practices worldwide. Or consider exiting the Indian market altogether. Either path carries heavy costs. The first upends years of alignment with international privacy standards. The second shrinks access for millions of small businesses and individuals who rely on affordable domain services.
At the heart of the dispute sits the practice of redacting personal data from public WHOIS records. For more than a decade registrars have offered free privacy protection by default. GoDaddy’s own website still advertises free privacy that redacts name, address, phone and email from the public directory. The court order would end that. Personal details would surface unless customers pay extra. Even then, disclosure could be compelled quickly.
GoDaddy contends this shift directly contradicts both India’s Digital Personal Data Protection Act and the European Union’s GDPR. Both frameworks demand privacy by default. Both aim to minimize unnecessary data exposure. “Stopping privacy-by-default features will result in public disclosure of name, address, telephone and email of legitimate website owners, exposing them to foreseeable privacy and security risks such as stalking and harassment,” the company stated in its filings, as reported by Reuters.
New York-based internet governance researcher Farzaneh Badii put the risk in sharper terms. “The people exposed will be journalists, activists, small business owners, and private individuals,” she said. “The brand impersonators will not.” Her observation, carried by The Next Web, underscores a central tension. Criminals rarely register domains with their real information. Legitimate users do. Removing the shield therefore hits the wrong targets.
The court had weighed these concerns. It applied the proportionality test from India’s landmark Puttaswamy privacy judgment. It concluded that the need to combat widespread fraud outweighed individual privacy claims in this context. Section 7(e) of the DPDP Act permits disclosures ordered by a court without fresh consent. Yet GoDaddy maintains the order goes further. It creates new policy without legislative backing. It asks private registrars to make rapid judgments about legitimate interest. Something they say they lack the tools or authority to do fairly.
Trademark variation rules raise separate alarms. Consider the name McDonald. Scottish in origin and a common surname. Blocking every close variation, GoDaddy warns, could hand certain brands effective monopoly over ordinary words. Similar collisions exist with countless English terms and corporate abbreviations. The company fears legitimate businesses with similar names will find themselves locked out or forced into expensive legal fights.
These arguments echo earlier warnings. A Gizmodo report captured GoDaddy’s broader alarm that local mandates could erode anonymity tools across the internet. If one jurisdiction can force disclosure and verification, others may follow. The cumulative effect might chill the use of privacy-enhancing services that millions depend upon. Gizmodo framed the stakes as nothing less than a potential global precedent against default anonymity.
India’s DPDP Act, notified in phases beginning late 2025, adds another layer of complexity. The law emphasizes consent, data minimization and user rights. Full substantive provisions take effect in 2027. GoDaddy argues the court order runs ahead of and against that framework. It also conflicts with how the company has structured compliance for European customers under GDPR. There, personal registrant data is heavily restricted. Europe made that choice after observing that public WHOIS records fueled harassment and phishing campaigns.
Yet the pressure to act against fake sites is intense. India’s government has highlighted domain abuse as a national concern. The IT ministry and home ministry provided inputs to the original case. Home Minister Amit Shah has called rising cyber fraud a crisis. Against that backdrop, the court sought practical remedies. Mandatory e-KYC for registrations, periodic re-verification, swift data sharing with rights holders and law enforcement. These measures aim to raise the cost of anonymity for bad actors.
Critics inside the industry counter that the approach is blunt. It assumes registrars can instantly distinguish legitimate inquiries from fishing expeditions. It ignores that many small website owners use domains for personal projects, blogs or early-stage businesses. Exposing their contact details invites spam at minimum. Worse outcomes are easy to imagine. And once data leaves the registrar’s controlled environment, there is little recourse.
GoDaddy’s appeal also flags operational headaches. The company would need to overhaul customer flows, update contracts, retrain staff and potentially face liability for mistaken disclosures. Scaling that across its global base while maintaining different rules by jurisdiction sounds nightmarish. Smaller registrars might simply withdraw from India. That could reduce competition and raise prices for Indian customers.
But the case carries implications far beyond one market. Domain governance has long been shaped by ICANN policies that seek global consistency. Privacy rules have trended toward greater protection since the GDPR era. A court victory for the brand owners could encourage similar demands elsewhere. Authoritarian governments might seize on the precedent to demand easier access to registrant data. Democratic ones could face domestic pressure to match anti-fraud measures regardless of privacy trade-offs.
So the July 16 hearing matters. A larger bench will examine whether the original order overreached. Whether it properly balanced fraud prevention against privacy rights. And whether such detailed operational mandates belong in judicial directives rather than legislation or industry-led standards.
Observers note the irony. Efforts to make the internet safer for consumers by curbing impersonation could make it less safe for the very people building legitimate online presences. Small businesses in particular stand to lose. They lack the resources to fight trademark claims or absorb higher costs for privacy add-ons. Journalists and activists in sensitive regions could face heightened personal risk.
GoDaddy has not stopped promoting its privacy features while the case proceeds. Its site continues to highlight free protection. That stance reflects both marketing reality and legal positioning. The company clearly hopes the larger bench will strike a different balance.
Technology policy rarely offers clean answers. Fraud is rampant. Privacy erosion carries real human costs. Global systems resist patchwork regulation. This dispute forces all those tensions into one courtroom. The outcome will not just decide how Indians register domains. It could influence the degree of anonymity available to internet users for years to come.
Additional recent coverage has reinforced these concerns. Medianama detailed how the order mandates e-KYC and re-verification while questioning whether registrars should adjudicate legitimate interest claims. It highlighted unresolved questions around who exactly benefits from disclosure versus who bears the harm. Business Today and other outlets echoed the warning that the rules risk damaging internet safety rather than improving it.
The coming weeks will test whether courts can thread the needle. Or whether this becomes another example of good intentions producing unintended worldwide consequences. One thing is already clear. The domain name system sits at the center of both commerce and expression. Any major shift there reverberates widely. GoDaddy is betting the larger bench recognizes that fact before the changes take permanent hold.


WebProNews is an iEntry Publication