Domain Name Registrars are now under Compliance Check

Posted on December 30, 2025 by Vijayashankar Na

Naavi has been repeatedly pointing out that the Domain Name Registrars are ignoring legal compliance as a matter of routine.

Now the Delhi High Court has published its order of 24th December 2025 setting some guidelines for Domain Name Registrars in India. The case originated on the basis of a petition by Dabur against websites infringing its trademark. (Dabur India Limited Vs Ashok Kumar and ORS,CS(COMM)135/2022)

The case is also related to to Cyber Crime prevention and the “Digital Arrest” Case being now tried at the Supreme Court. It is also related to Trademark infringement involved in registration of domain names.

The decision has taken into consideration views expressed by ICANN, GoDaddy, CERT In, MeitY, MHA and several other relevant parties.

The judgement has considered issues such as prevention of financial frauds, measures to be implemented by the Registrars etc. It also has brought into discussion some sections of DPDPA 2023 and GDPR into the discussion of protection of Privacy of the registrant.

The judgement  is a gold mine of information for all students of domain name law.

This judgement could be considered a landmark judgement on domain names in India.

Refer the copy of the judgement  here

Summary of Conclusions

Naavi has several times objected to the Domain Name Registrars hiding the names of the registrants under the guise of Privacy. The Court has taken note of this practice and held

“The Court was of the view that disabling the privacy protect feature may be essential to ensure that the identity of the Registrants is available on https://www.whois.com database (hereinafter “the WHOIS database”) among others.”

Naavi is of the firm opinion that registering and hosting a website on the Internet is a activity in the public domain and the identity of the registrar should not be considered as “Personal Information” subject to the Right of Privacy. It is an action that has an impact on others and hence is a “Public Activity” and the identity of the registrant should be considered as a “Right of the society to know”.

In summarizing its conclusions  the Court observed

  1. Domain Names form the online soul of a business and their distinctive character has to be protected.
  2. Misuse of domain names and website content endangers the larger public interest.
  3. Stringent action  needs to be taken to maintain the integrity of the domain name system against parties such as Domain Name REgistrants, Registrar, Registry operator, ICANN, Banks, RBI, Telecom Service Providers, Meity and DOT and Law Enforcement agencies.
  4. It is imperative for all Banks to implement the Beneficiary Bank Account Name Lookup in case of online payments.
  5. It is mandatory for all Banks to cooperate with Law Enforcement Agencies in terms of Central Intelligence and Economic Bureau issued the Standard Operating Procedure dated 31st May, 2024 for processing of requests from LEAs by the banks
  6.  Domain Name Registrars (DNR) must implement Rights Protection Mechanism under specification 7  including use of the Trademark Clearing house data base.
  7. The DNRs ought to submit registered-name data to the Registry Operator, provide public query-based access to essential WHOIS/RDDS information, make registrant data available for ICANN’s inspection, comply with applicable laws and governmental regulations, avoid registering reserved names, verify and periodically re-verify Registrant contact information, investigate inaccuracies, and act promptly against DNS abuse or illegal activity.
  8. DNRs ought to face termination of the accreditation agreement if a Court finds they permitted illegal activity or failed to comply with Court’s orders, or if ICANN determines that the DNRs engaged in bad-faith trademark-conflicting registrations.
  9. DNRs  are obliged to follow ICANN’s WHOIS Accuracy Specification, validating address, email, and phone formats, and verifying email or telephone numbers through tool-based authentication, and must suspend or terminate domain names where registrants wilfully provide inaccurate information and fail to correct it within
    15 days.
  10. The privacy protect feature extended by DNRs to registrants is acting as a cloak to hide the identity of those perpetrating illegal and unlawful acts on the internet  it is necessary to mandate that all DNRs offering their services in India shall collect the details of the Registrants and perform a e-KYC verification in the manner in which NIXI already mandates in India.
  11. DNRs and Registry Operators cannot deny disclosure of Registrant’s details by taking blanket cover under the provisions of GDPR. The applicable privacy law would govern the relevant considerations in each case, and accordingly, the data collected from Registrants in India would be governed in terms of the DPDP Act and its allied Rules All DNRs who offer their domain names registration or ancillary services ought to appoint Grievance Officers who are located in India and publish their email addresses, mobile numbers and other contact details so that they can be contacted for the purpose of obtaining relevant information of the Registrant as also for implementing orders passed by Courts and to provide information to LEAs
  12. DNRs who provide extended services including marketing of domain names may, not merely be considered as intermediaries but as complicit in actively enabling infringement.
  13. It is a settled position in law in India that registration of an infringing domain name would not be permissible as there is every likelihood that the same could lead to diversion of users from the genuine website to the infringing one.
  14. Offering of privacy by default to registrants is one of the reasons for proliferation of illegal domain names. Thus, unless and until a registrant requests for privacy protect, the same should not be offered as a default mechanism
  15. The Government and various institutions ought to create their own list of names that can be misused so that such domain names can be placed in the reserved list.

In view of the above, following directions are issued to DNRs.

1.The DNRs and Registry Operators shall, henceforth, not resort to masking of details of the registrants, administrative contact and technical contact on a default basis as an ‘opt-out’ system. At the time of registration of the domain names, a specific option shall be provided for the Registrant and it is only if the said Registrant chooses for privacy protection, that the said service shall be offered as a value added service upon payment of additional charges. The additional charges shall not be made a part of the default package for registration of domain names.

2.  Whenever any entity or individual having legitimate interest, law enforcement agencies (LEAs) or the Courts, request for disclosure of data relating to any infringing or unlawful domain name, the data (such as name of registrant, admin and technical contacts, addresses, mobile numbers, email address and any payment related information  as well as any value added services provided.) shall be disclosed by the concerned DNR as soon as possible but not later than 72 hours in terms of the Intermediaries Guidelines 2021.

3. If any particular domain name is restrained by an order of injunction or has been found to be used for illegitimate and unlawful purposes, the said domain name shall remain permanently blocked and shall not be put in a common pool in order to disable re-registration of the same very domain name by other DNRs. The appropriate steps in this regard shall be taken by the concerned Registry Operator to ensure that all DNRs having an agreement uniformly give effect to the said direction.

4. In the case of trademarks/brands, which are well-known or are invented, arbitrary or fanciful marks, which have attained reputation/goodwill in India, if a Court of Law directs that there would be an injunction on making available the infringing domain name with different extensions or mirror/redirect/alphanumeric variations, the same shall be given effect to by the DNRs and no alternate domain name shall be made available in respect of such brands and marks.

5. Upon an injunction being issued by the Court in respect of any domain name and the same being communicated to the DNRs, the DNRs shall ensure that no alternative domain name is promoted or being suggested to a prospective Registrant. Any promotion of alternative domain names of an injuncted domain name would disentitle the concerned DNR for safe harbour protection under Section 79 of the IT Act

6.In respect of descriptive and generic marks, the restraining/injunction orders would be qua the specific domain name and any extension of restraining/injunction order for other infringing domain names would be with the intervention of the Joint Registrar before whom the application under Order I Rule 10 of Code of Civil Procedure, 1908 along with affidavit shall be filed and the injunction would be extended. Where any party is aggrieved by the order of the Joint Registrar, the application may be moved or placed before the ld.
Single Judge.

7.Upon orders being passed by a Court, the infringing domain name shall be transferred to the Plaintiff/trademark owner/brand owner, upon payment of usual charges

8.Search engines and DNRs shall not provide any promotion or marketing or optimization services to infringing and unlawful domain names

9.All DNRs offering services in India shall appoint Grievance Officers within a period of one month from today failing which they would be held as non-compliant DNRs.

10.  Service by email to the respective Grievance Officer’s details would be henceforth sufficient service for Court orders and any DNRs who insist upon services through MLAT or through other modes of services shall be held to be non-compliant DNRs.

11. In appropriate cases where an entity has repeatedly not complied with orders of the Court, and in the opinion of the Court it is a case where the interest of society at large is being adversely affected, such as cases of frauds, the Court may direct the appropriate authority to block access to the said entity under Section 69A of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009.

12.All Registry Operators having valid agreements with ICANN shall take appropriate steps to implement the Trademark Clearing House services and make the same available to all brand owners & registered proprietors of trade marks.

13. All DNRs offering services in India or to customers in India shall undertake verification of Registrant’s details at the time of registration and periodic verification of the same. The verification shall be done in terms of KYC requirements mentioned in Circular No. 20(3)/2022- CERT-In dated 28th April, 2022 issued by Indian Computer Emergency Response Team. This is in line with the NIXI Accreditation Agreement.

14. All DNRs who are enabling registration of domain names which are administered by NIXI as a Registry Operator shall comply and provide requisite registration data to NIXI within one month of this judgment and also update the same on a monthly basis.

The Court has also given the following directions to the Government (Meity/MHA)

  1. The Government shall hold a stake holder consultation with all DNRs and Registry Operators offering services in India and explore the possibility of putting in place a framework similar to the one used by NIXI by all DNRs for the purpose of domain name registration
  2. Consider nomination of a nodal agency such as NIXI as the data repository agency for India with which all the Registry Operators and the DNRs would maintain details related to Registrants on a periodic basis so that the said details are made available to the Courts, LEAs and the governmental authorities for the purpose of enforcement of
    orders of Courts and for preventing misuse. Alternatively, DNRs shall be directed to localize the data in India for easy access. Irrespective of the decision, it is made clear that processing of personal information would be strictly in terms of the DPDP Act and applicable Rules.
  3. In case of a DNR or Registry Operator, which does not comply with the orders of the Courts or with request from LEAs, the offering of services of such DNRs or Registry Operator be blocked by MeitY and DoT under Section 69A of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009.
  4. MeitY along with NIXI shall coordinate with ICANN to enable brand owners in India to avail of TMCH facilities on reasonable terms and conditions so that they can receive notifications whenever any conflicting /infringing domain names are proposed to be registered by any third parties across the globe.
  5. The CGPDTM (Controller General of Patents, Designs and Trade marks) could also consider publishing the list of well-known marks along with the official and authentic website details of the trademark owners so that if any consumer or user wishes to verify the authentic website, the same would be made possible through the website of the Intellectual Property Office. The same shall also act as sufficient notice to all potential Registrants as to the actual websites
  6.  Directions qua grant of ‘Dynamic +’ injunction:  The dynamic + injunction would apply under the following circumstances:
    (i) Wherever the brand/trademark appears as it is in the domain name;
    (ii) Wherever brand/trademark appears with a prefix or suffix which could lead to confusion;
    (iii) Wherever the brand/trademark appears as an alphanumeric variation.
    (xvii) Whenever there is a legitimate Registrant who opposes the suspension of the domain name, if the same is communicated by the said Registrant to the concerned DNR, the DNR may then ask the IP owner to obtain a Court order.

 Also, following directions are issued to Banks.

  1. All banks shall mandatorily implement the ‘Beneficiary Bank Account Name Lookup’ facility in terms of the RBI circular dated 30th December, 2024 for all online payments including payment by UPI through applications such as Google Pay, Paytm, etc.
  2. All banks shall also abide by the Standard Operating Procedures dated 31st May, 2024 issued by Central Economic Intelligence Bureau for processing and responding to requests received from LEAs.

In toto, this is a very comprehensive and useful judgement which will have a long term impact on the industry.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Privacy. Bookmark the permalink.