The Anti-Cybersquatting Consumer Protection Act (ACPA) defines cybersquatting (domain squatting or domain hijacking) as registering in, trafficking in, or using an internet domain name with a bad faith intent to profit from the goodwill of a trademark or service mark belonging to someone else. See 15 U.S.C. Section 1125(d). Cybersquatting comes in many different forms. There is “typo-squatting” or “domain spoofing,” where a bad actor registers a domain name with a slight change or typo (think gooogle.com versus google.com or amazom.com versus amazon.com). Often, these bad actors advertise similar services and profit from third-party links on their site. In more serious cases, they copy copyrighted content from the legitimate website to trick visitors into purchasing goods or services from their fraudulent site and/or submitting personal information as part of a larger scam. Cybersquatters may also register variations of well-known trademarks in an effort to sell the domain variations back to the trademark owner at a high mark-up.

Prior to the European Union’s adoption of the General Data Protection Regulation (GDPR), it was easier for trademark owners to identify and combat cybersquatters. Pre-GDPR, anyone could run a free WHOIS search to identify contact information for a domain registrant, including their name, mailing address and email address. WHHOIS is a public database regulated by the Internet Corporation for Assigned Names and Numbers (ICANN) that stores domain registrant information. Once the relevant registrant was identified, trademark owners could pursue a variety of legal options, from sending a cease and desist letter directly to the domain registrant to initiating federal litigation under the ACPA. But, when GDPR went into effect on May 25, 2018, many domain registrars stopped publicly displaying registrant information because doing so is at odds with GDPR, which aims to protect European Union citizens’ privacy by imposing certain restrictions on data collectors and processors. Due to its extraterritorial application and the uncertainty surrounding its scope, many registrars erred on the side of caution and removed all registrant information rather than tailoring their removal to EU personal data. Now, a WHOIS search returns only the state or province and country for natural persons and an anonymized email address, rather than a true email address, for domain registrants. Almost overnight, WHOIS transformed from the de facto source for domain registrant information to a rarely helpful search tool.