Considering allegations under the Anti-cybersquatting Consumer Protection Act and trademark infringement, the U.S. District Court for the District of Arizona allowed a case to proceed against a domain name proxy service.  Though the merits of the case have yet to be decided, the case offers a ray of hope to brand owners addressing cybersquatted domain names registered by unknown domain registrants.

Defendant Namecheap is a domain name registrar that allows its customers to opt into defendant WhoisGuard’s proxy service.  WhoisGuard keeps a domain registrant’s WHOIS contact information concealed from the public by registering Namecheap’s customers’ domain names in the name of WhoisGuard (i.e., displaying WhoisGuard’s name and contact information in WHOIS records).  It then licenses the domains back to Namecheap’s customers. 

Plaintiffs Facebook, Instagram, and WhatsApp (collectively “Facebook”) alleged that at least forty-five domains registered by WhoisGuard are confusingly similar to their trademarks.  Over sixteen months, Facebook had contacted WhoisGuard about the infringing domain names, asking WhoisGuard to reveal the licensees’ identities.  WhoisGuard refused.  Facebook sued, and WhoisGuard moved to dismiss the complaint for failure to state a claim.  The Court denied WhoisGuard’s motion.

Two agreements were especially relevant to the Court’s decision: Namecheap’s Registrar Agreement and ICANN’s Registrar Accreditation Agreement (“RAA”).  Specifically, Section 3.7.7.3 of the RAA provides that a “registered name holder that intends to license use of a domain name to a third party” accepts liability for the harm caused by wrongful use of the domain “unless it discloses the current contact information provided by the licensee and the identity of the licensee within seven (7) days to a party [who has provided] reasonable evidence of actionable harm.”  Because WhoisGuard had failed to provide their licensees’ identities and contact information, Facebook alleged Namecheap and WhoisGuard were liable for the cybersquatting and infringement.

First, the Court held Facebook had plausibly alleged that WhoisGuard was a party to Namecheap’s Registration Agreement.  ICANN requires every registrant of a domain name to enter into a registration agreement, and Namecheap’s Registration Agreement defines “you” and “your” to specifically include “the registrant listed in the WHOIS contact information for the domain”—here, WhoisGuard.  Second, the Court held Section 3.7.7.3’s language can plausibly be read to confer a benefit on third parties like Facebook.

Third, the Court found that Facebook had plausibly alleged that Section 3.7.7.3’s language is incorporated into Namecheap’s Registration Agreement.  Namecheap’s Registration Agreement states that by agreeing to Namecheap’s services, “you have read and agree to be bound by . . . the rules, policies, or agreements published in association with specific of the Service(s) [sic] and/or which may be enforced by [ICANN].”  Namecheap’s Registration Agreement then links to a page titled, “Registrant Rights, Benefits & Responsibilities,” which explains that “ICANN has set forth various rights and responsibilities of Registrants” and links to ICANN’s website.  In turn, ICANN’s website states that, in accordance with the RAA, “the Registrar/Registered Name Holder Agreement must include - at minimum - the following items (as stated at Sections 3.7.7.1 - 12 of the RAA).”

WhoisGuard had argued that ICANN’s own website interprets Section 3.7.7.3 differently.  According to WhoisGuard, ICANN states that if a registered domain name holder allows another person to use the domain who did not enter into the registration agreement “(referred to as a ‘third party’ in the RAA), the Registered Name Holder could be accountable for wrongful use of the domain name by the third party.”  WhoisGuard argued that because its licensees had entered into the Registration Agreement, its licensees were not “third parties” under Section 3.7.7.3, and therefore WhoisGuard could not be liable.  But whatever the merits of this argument, the Court held that the issue on a motion to dismiss was not which interpretation of Section 3.7.7.3 governed, but whether Plaintiffs had plausibly alleged WhoisGuard was liable. 

Notably, Namecheap succeeded on its motion to dismiss because Facebook had argued that Namecheap had “used” the domain names by setting up revenue-generating parking pages.  But because Facebook failed to make such an allegation in its complaint, the complaint against Namecheap was dismissed with leave to amend.  Facebook amended the complaint and Namecheap again moved to dismiss, which motion is pending.

Key Takeaway

Whether a domain name privacy and proxy service will cooperate with a brand owner seeking domain name WHOIS contact information has depended for a long time on which service one is dealing with.  Some are responsive and some are not.  When the European General Data Protection Regulation (GDPR) became effective in 2018 and led to the redaction of most WHOIS contact information, the ability to investigate ownership of abusive domain name registrations became even harder.  Though WhoisGuard’s ultimate liability here is still undecided, this case offers a potential new avenue for brand owners looking to challenge abusive domain registrations where the WHOIS contact information is privacy- or proxy-protected and the service is unwilling to revoke the privacy screen.

The case is Facebook Inc. v. Namecheap Inc., No. 2:20-cv-00470-GMS (D. Ariz. Nov. 10, 2020).