GoDaddy, the world's largest domain registrar, has filed a challenge before a larger Delhi High Court bench against a December 2025 judgment that would strip default privacy protection from domain name owners and require identity verification for every registration. The appeal will be heard on July 16, 2026, alongside separate challenges filed by Namecheap and Hosting Concepts.
The judgment at the centre of the dispute is Dabur India v. Ashok Kumar, delivered on December 24, 2025, by Justice Prathiba M. Singh. The case arose from more than 1,100 domains impersonating major Indian brands, including Tata Sky, Amul, Bajaj Finance, Meesho, and ITC. Fraudsters allegedly used these domains to sell fake franchises and job opportunities. Justice Singh found that registrars were not simply passive hosts: some had promoted alternative infringing domains, sold brand-name variations at a premium, and offered hosting and SEO services to fraudulent sites. On that basis, she narrowed the safe harbour registrars have traditionally enjoyed under Section 79 of the Ministry of Electronics and Information Technology's Information Technology Act.
The judgment issued 14 directions to registrars. Three are being contested. First, registrars must run electronic Know Your Customer (e-KYC) checks on every domain registration and repeat them periodically. Second, they must stop offering privacy-by-default masking of registrant details, making identity redaction a paid add-on instead. Third, they must disclose registrant names, addresses, phone numbers, and email addresses within 72 hours when requested by a court, a law enforcement agency, or any party that claims a legitimate interest.
What GoDaddy Is Actually Arguing
GoDaddy's appeal, which Reuters reviewed and reportedly runs to more than 5,000 pages, makes three distinct arguments. On the privacy default, the company says publishing every registrant's personal contact details exposes legitimate owners, including journalists, activists, and small business owners, to stalking and harassment. It continues to market free privacy protection as a standard feature. On the 72-hour disclosure window, it argues it cannot judge who qualifies as having a legitimate interest, a term the court borrowed from the EU's General Data Protection Regulation but did not define. On the bar against brand-name variations, GoDaddy calls the direction unworkable, pointing out that "McDonald" is a common Scottish surname and that a string like "HUL" would collide with 118 ordinary English words.
The company also invokes the Digital Personal Data Protection Act, 2023, arguing the order violates its requirement to collect and disclose only the minimum personal data necessary. Justice Singh rejected this in her judgment, holding that Section 7(e) of the DPDP Act permits a data fiduciary to process personal data without consent when complying with a court order. She applied the Supreme Court's Puttaswamy proportionality test and ruled that privacy cannot be used to shield illegal conduct. The appeal asks the larger bench to decide which reading of the DPDP Act should govern.
Why This Goes Beyond One Court's Ruling
The domain name system is global by design. A domain resolves identically in Mumbai and Minnesota. GoDaddy argues it cannot apply one WHOIS disclosure policy to Indian registrants and a different one everywhere else, which means an Indian court order effectively writes rules for its entire global customer base. The company calls the directions commercially destabilising and warns that registrars could exit India, which it describes as its largest emerging market, where it manages 80 million domains.
The deeper question the appeal raises is who has the authority to regulate domain registration in India. Justice Singh's order creates an e-KYC regime, mandatory disclosure timelines, and a reserved-names list for government and institutional domains. None of this came through Parliament, a delegated rule-making process, or formal consultation with MeitY. It emerged from a commercial trademark suit. That means the Delhi High Court has, through a single judgment, functionally set national policy for domain registration, and the appeal will test whether a larger bench accepts that.
Internet governance researcher Farzaneh Badii, cited by Reuters, noted that the people most likely to be exposed by removing privacy defaults are journalists, activists, and small business owners, while determined brand impersonators, who typically use layered proxies, would likely remain difficult to identify regardless. That asymmetry sits at the core of the proportionality debate the larger bench will now have to resolve.
If the court upholds the original order, it could serve as a template for courts in other countries to assert similar authority over global registrars operating within their jurisdictions. The July 16 hearing will determine whether the directions survive intact, are narrowed, or are stayed pending a fuller review.