How Enom processes data
Resellers can review Enom's data-sharing practices. It is in our best interest and that of our resellers and registrants to prepare for heightened data sharing and privacy standards. Enom believes in the principles that the GDPR upholds, and we, along with other key players in our industry, feel the benefits of the GDPR to registrants worldwide.
|Consent and contract||Any data that Enom or the registry/service provider requires to provide a TLD or other product will be processed on a contract basis. It will be included in our contractual agreement with the registrant. We do not need to send a consent request to process this data. Any additional pieces of data requested by the registry but not included in the contract can only be processed with consent from the registrant. Asynchronous services are a special case as Enom doesn't require additional, consent-based data, but the registry/service provider does, although they have not provided a contractual legal basis for processing them.|
|Data controller and processor||The Data Controller determines what data will be processed/selects the means of processing data, while the processor handles the data based on the requirements set by Controllers. Enom doesn't have a direct relationship with the domain owner. We have a contractual one, as required by ICANN and other TLD policies. To enter into our contract to sell a customer a domain name, we need certain pieces of personal data, such as the registrant’s first and last name, organization name (if provided), email address, and country. So, the legal basis for us to process those pieces of data is the performance of a contract, and we are a Controller for those data elements.|
|Data timeline||Data processed from our service contract is kept for the lifetime of the service, plus up to 10 years after the service’s termination. Enom will hold any data we process under the legal basis of consent for the same period as the contract-based data unless consent is withdrawn. In this case, the erasure process begins and can take 60 days to complete. Note that for asynchronous services, Enom will direct the end-user to their reseller to cancel services.
|ICANN policy||ICANN policy has been updated in response to the GDPR and other worldwide data privacy legislation. When ICANN requirements for registrars conflict with our legal obligations, we will follow the law first and comply with ICANN as best we can.|
GDPR and whois information
Resellers can access all the Whois contact data that we hold for their end-users within the reseller control panel. Data can only be shared when necessary to fulfill the intended purpose of the data collection. The public Whois system was incompatible with the principles of data privacy that the GDPR affirms. Registrant information is now redacted for privacy on whois lookups and can be made public by adding whois publicity to that domain. Public Whois output will still display domain dates, status, nameservers, and sponsoring registrar.
Gated Whois information
The gated Whois is a portal where accredited third parties can access “full” Whois information, and the output available here includes personal data that is hidden from the public Whois. If the domain has ID protection, the privacy masking data will be displayed publicly and within the gated Whois. This means that contact privacy details, including a contact privacy email, will be displayed for domains with ID protection in the gated Whois. For a helpful visual snapshot of the Whois differences, check out our Whois changes blog post. The Whois output for privacy-protected domains will be the same in both the public and gated Whois. We will continue to require a court order or other legal documentation for access to this information, as we do today.
Consent management process
When a registrant visits their Data use consent settings page, they will find an up-to-the-minute list of all the active products they have registered, as well as any products pending consent before the order can be completed. The Data use information page includes an exhaustive list of the TLDs and services offered through Enom and its status as either an asynchronous or synchronous service.
For these domains, the provider requests additional pieces of data for which there is no legal, contractual basis to process. In this case, we will ask the registrant for consent to share these additional pieces of data with the provider. In most cases, even if the registrant should withhold or fail to provide consent, Enom can immediately register the domain by sending the registry a combination of the contractual data and placeholders for any data elements that can only be processed with consent. These domains can be registered immediately without using additional personal data beyond what is covered in the contract. If the registrant withholds or revokes consent, any existing services will remain active, and any pending orders will be processed normally. Enom will simply substitute placeholder data for any consent-based personal data.
Asynchronous domains are registered only after the owner provides explicit approval. Since the service cannot be provided without sharing pieces of the registrant’s personal data with the service provider, and there is no GDPR-compliant contract to protect the data, we need the registrant’s permission to share it before we proceed. This permission must be provided in the form of affirmative consent.
Asynchronous TLDs and providing consent
To provide a transparent experience for the registrant, the consent status for any active, asynchronous service is set to “yes-consent” by default. This is because the client is considered to have consented to the data processing by purchasing the service prior to these enhanced data protection requirements coming into effect. Although consent has not yet technically been provided, an affirmative consent status accurately indicates the current data use settings: the end user's personal data have already been processed and shared with Enom and our registry partner(s).
Registrants can revoke consent at any time and will be directed to their reseller to complete their request and cancel the service. The registry does not permit us to replace these consent-based data with placeholder data, and so the service would need to be canceled in order to withdraw consent. Failure to provide consent or the decision to withhold consent within 10 days of the domain's registration will result in the order being placed on hold in the Enom system. We are not able to complete orders for asynchronous products without consent from the registrant because placeholders for consent-based data is not accepted.
Withdrawing consent and refunds
Enom does not provide a refund in cases where the end-user decides to cancel an active service because they wish to revoke consent. Please note that in these cases, Enom will log the registrant’s choice to revoke consent, but will direct the end-user to work with their reseller to cancel services.
Refunds will be issued for any pending orders that are canceled because the end-user chooses to withhold consent. The cost of the transaction will be returned to the reseller’s account once the order is canceled. Consent requests remain pending for ten days, after which the order will default to a non-consented status, and the pending order is canceled.
Data consent page
Enom is legally obligated to collect consent from our registrants and to provide them with a straightforward, accessible means of revoking consent. The Data use consent settings page is our solution for fulfilling these obligations and is an essential part of our domain and service registration process. Enom is mentioned on the consent page to allow for a white-labeled solution for our resellers, but this commitment must be met in balance with the legal obligations we have as a data processor and controller. GDPR requires service providers to disclose what personal data they are processing, how this data is being held and processed, and by whom it is being processed, as such we are transparent about the fact that Enom is processing their data.
Product consent order
The order in which services are presented to the registrant is prioritized so that any actionable or important items are seen first. This means services will be listed in the following order if they are available:
- New products that still require consent from asynchronous products
- New products that still require consent from synchronous products
- Older products where the consent choice has been made for asynchronous products
- Older products where the consent choice has been made for synchronous products
The data collected will depend on whether you have registered the service as an individual or an organization. Accordingly, some of the data described here may not actually be collected. Some registry and service providers will request different information if the registrant is listed as an organization than they do if the registrant is listed as an individual. Our Data use information page outlines all the data we collect for each service, both on a contract and consent bases, and clearly indicates any differences between data collected for individual and organization registrant types.
Back to top
Product consent groups
Each service or product offered through Enom falls into a particular consent group within our system, and once the consent preference is logged for a group, that choice is applied to any future purchases of products within that same group.
In order for two products to fall within the same consent group, they must be:
- Offered through the same service provider
- Contractually require the same data elements
- And must request the same consent-based data elements
For example, a registry might operate multiple TLDs and for each of them contractually require the registrant's name, email, and country, but also request consent to process the registrant’s phone number. These TLDs would fall into the same consent group, and once the registrant sets their consent preferences for one of these TLDs, the registrant’s choice would be applied to all future purchases of other TLDs within this group. This means that no future consent request emails would be sent to the registrant for purchases within this group. However, if this same registry offers another TLD for which they request consent to process the registrant’s postal address, in addition to their phone number, the registrant would receive a consent request upon purchasing this TLD, as it would fall into a distinct consent group.
Enom groups products this way, so we’re able to reduce the number of consent requests the registrant receives while ensuring the registrant has complete control over which elements of their personal data are shared and with whom.
Consent emails can be triggered by the registration, update, or transfer of a domain. When the registrant sets their consent preferences, their choices will be logged and applied to any future purchases of products within the same consent group. However, if they purchase a service for which the provider requests additional pieces of data, beyond those for which the registrant has already granted or withheld consent to process, they may receive another consent request. Enom system waits one minute before sending a consent request email, if multiple services are purchased together, a single consent request email will be sent for all services. In cases where an end-user makes multiple purchases more than one minute apart, multiple emails will be sent. Consent emails can only be sent to the registrant's address, other emails are not considered secure and would violate the GDPR.
Replying to consent emails
When the Email times out or is ignored only asynchronous services will be affected, Ten days following the initial consent request, the registrant’s consent status will default to “non-consent” if we haven’t received a response. Enom will still send a consent request email to the registrant to ensure they have access to the Data use information page even if no consent is required, we do this to fulfill our commitment to maintaining a high level of transparency. A link to the consent page can be resent to the registrant email by initiating a request through your control panel or via the API
Back to top
Reseller controls and management
Information and data management
Resellers should not alter registrant information, certain pieces of information, such as the registrant's full name, organization, email address, and country, will always be required. We need this data for our contractual use and must be able to identify the owner of the domain, and our Domain Registrant Agreement requires the registrant to provide complete and accurate information. The list of contractually required data elements for a particular TLD or service may be longer, depending on Enom's contract with the registry or service provider.
While it is not recommended, you can choose to substitute placeholder data for any data elements that we process using consent as the legal basis when placing orders, but you cannot leave these data fields empty. For an asynchronous service using placeholder, data is possible, but this data will likely not be accepted at the registry level, and the pending order may not be fulfilled by the registry or service provided. For synchronous services, although the consent-based data could be withheld and placeholders used instead, if the client decides to consent to the data being used, they may be confused to discover that even after they have consented the data is not listed on their domain registration record.
Resellers and the consent page
There is no option to disable the consent page or bypass it as a reseller. Enom is legally obligated to collect consent from our registrants and to provide them with a straightforward, accessible means of revoking consent. This page cannot be edited. The majority of the text on the Data use consent settings page is legal information that we are obligated to disclose so it cannot be modified.