In 1994, a writer for WIRED magazine registered mcdonalds.com and offered, in print, to hand it over to the burger chain in exchange for a donation to a school. McDonald's, one of the most valuable brands on earth, had simply never thought to claim the address. That small episode is the entire law of domain names in miniature: a globally famous mark, a stranger who got to the name first, a system with no built-in mechanism to sort out who deserves it, and a fortune in goodwill hanging on a string of characters that costs about ten dollars a year to hold.

A domain name still looks like the simplest thing on the internet. You type example.com into a browser and a website appears. Behind that small string, however, sits a layered global naming system, a chain of contracts running from a California nonprofit down to the individual registrant, and a body of law that has been growing for more than a quarter century. The last segment of every domain name--the .com, .org, .uk, or .law after the final dot--is its top-level domain, or TLD. TLDs are where a surprising amount of internet governance, brand strategy, and legal risk is concentrated.

This article explains what a TLD is and how it fits into the architecture of the Domain Name System, then walks through the major categories of TLDs, the role of the Internet Corporation for Assigned Names and Numbers (ICANN), the new gTLD expansion program, and the registry-registrar-registrant chain that allocates names. From there it turns to law: whether a domain is property at all; how WHOIS records and the EU's General Data Protection Regulation affect a brand owner's ability to learn who is behind a name; the rights-protection mechanisms ICANN built into the new gTLD program (the Trademark Clearinghouse, Sunrise and Claims services, the Uniform Rapid Suspension System, and post-delegation procedures); the two principal anti-cybersquatting remedies (the UDRP and the federal Anticybersquatting Consumer Protection Act); and how the U.S. Patent and Trademark Office treats TLDs inside trademark applications, including the Supreme Court's decision in Booking.com. It closes with practical guidance, worked hypotheticals, and a short FAQ.

Throughout, terms of art are explained the first time they appear, and invented parties (clearly labeled, e.g., "Acme Corp.") illustrate how the rules work. The aim is a single explanation that a judge, a lawyer, and a non-specialist business owner can all follow.

What a TLD Is: The DNS Hierarchy in Plain Language

To see what a TLD is, start with the problem it solves. Computers on the internet do not find one another by name. Every device on the network has a numeric Internet Protocol (IP) address. The version still carrying most traffic, IPv4, expresses an address as four numbers separated by dots, such as 141.110.200.1--a 32-bit scheme that yields roughly four billion possible addresses. A newer version, IPv6, uses a much longer alphanumeric string and exists precisely because the world ran out of IPv4 addresses. (There never was an IPv5 in production; the version number was assigned to an experimental streaming protocol in 1979 and the gap was simply never filled.) IP addresses are precise but impossible for humans to remember at scale. The Domain Name System (DNS) is the internet's directory: it translates human-friendly names like mclaw.io into the numeric addresses routers actually use, much as a contacts app lets you dial "Mom" instead of a ten-digit number.

The DNS is organized as a hierarchy, read from right to left. At the very top--invisible and usually unwritten--is the root zone, conventionally represented by a single trailing dot. Immediately below the root sit the top-level domains. Below each TLD are second-level domains (SLDs)--the part most people think of as "the name," such as mclaw in mclaw.io or example in example.com. Below those can sit third-level labels, often called subdomains, such as www or mail. So in the fully qualified name www.example.com., reading right to left, you have the root (the final dot), the TLD (com), the second-level domain (example), and a subdomain (www).

The TLD, then, is the rightmost meaningful segment of a domain name, and it is the level of the hierarchy ICANN administers most directly through contracts with the organizations that operate each TLD. Everything below the TLD--who may register acme.com versus acme.org, what it costs, and how disputes are handled--is governed by the policies of the specific TLD's operator, within rules ICANN sets at the top. That is why the choice of TLD is not merely cosmetic. It determines which registry you deal with, which dispute policies apply, what rights-protection mechanisms exist, and, increasingly, how a court or trademark examiner will perceive the name.

When a user types a name, a resolver (typically run by the user's internet service provider or a public provider such as the ones at 8.8.8.8 or 1.1.1.1) walks the hierarchy: it asks a root server which servers are authoritative for the TLD, asks those TLD servers which servers are authoritative for the second-level domain, and finally asks those servers for the IP address. The whole sequence completes in milliseconds, and the answers are cached so the next visitor's lookup is faster still. Because DNS sits at this chokepoint, attacks on it--DNS spoofing (feeding a resolver a false answer) or DNS hijacking (seizing control of a name's records)--can silently redirect a brand's traffic to a malicious clone, which is one reason domain security belongs in every business's risk program and matters acutely to firms handling sensitive client data.

The Major Categories of TLD

TLDs are not all the same kind of thing. Understanding the categories is the foundation for everything that follows, because each carries different registration rules, different operators, and different legal exposure.

Generic Top-Level Domains (gTLDs)

A generic top-level domain is a TLD not tied to a country. The original handful--.com, .org, .net, .edu, .gov, .mil, and .int--date to the 1980s. The most familiar, .com (originally for "commercial"), is operated by the registry Verisign and remains the most recognized and trusted ending worldwide, which is why most businesses still want the .com of their brand even when they market under something else. Pricing illustrates how much registry economics flow from ICANN's contracts rather than open competition: Verisign's registry agreement permits it to raise the wholesale .com price by up to 7% in most years, a cap that does not apply to many newer or repurposed endings whose operators can raise renewal prices with far fewer constraints. .org (operated by the Public Interest Registry) was associated with nonprofits, and .net (also Verisign) with network infrastructure, though both are now used broadly. Newer generic strings can also build technical policy into the TLD itself--.dev and .app (operated by Google Registry), for instance, are on the HSTS preload list, so browsers require an HTTPS (TLS-encrypted) connection for every domain under them, making security a non-negotiable condition of using the namespace. Several legacy gTLDs are restricted: .edu, .gov, and .mil are limited to U.S. educational institutions, government bodies, and the military respectively, and a registrant must qualify to obtain one. That gatekeeping is itself a feature--an impostor generally cannot register irs.gov-style lookalikes inside a restricted space.

Country-Code Top-Level Domains (ccTLDs)

A country-code top-level domain is a two-letter TLD assigned to a country or territory based on the international standard list of country codes (ISO 3166-1)--.uk for the United Kingdom, .de for Germany, .ca for Canada, .fr for France, .jp for Japan, and so on. ccTLDs are administered by national or regional operators (for example, Nominet for .uk, DENIC for .de, CIRA for .ca, AFNIC for .fr, Red.es for .es (Spain), and SWITCH for .ch (Switzerland)), and each sets its own registration rules. Some require a local presence or genuine connection to the country; others are open to anyone. A small number of regional TLDs operate like ccTLDs but represent a supranational bloc rather than a single nation--.eu, run by EURid, is available only to individuals and organizations established in the European Union (a residency or establishment condition that itself functions as a light gatekeeping mechanism).

A recurring theme--and a recurring source of legal and reputational complications--is that several ccTLDs have been repurposed far from their geographic origin because the two letters happen to spell something marketable. .io is the ccTLD of the British Indian Ocean Territory but is used worldwide by technology startups. .co (Colombia, operated by a Neustar/GoDaddy-affiliated registry) markets itself as a global alternative to .com. .ai is Anguilla's code but has become shorthand for artificial intelligence. .me (Montenegro) is used for personal branding (about.me), .tv (Tuvalu) for video and streaming brands (and priced at a premium for exactly that reason), .cc (the Cocos (Keeling) Islands, operated by Verisign) for niche tech and media, and .is (Iceland, operated by ISNIC) for clever phrasing ("this.is"). For these repurposed ccTLDs, brand owners should remember that the operator is still a foreign registry following its own national rules, and that the dispute mechanisms available may differ from those for gTLDs--some ccTLD registries have adopted the UDRP or a close variant, others run their own bespoke process, and a handful offer no administrative remedy at all, leaving litigation in the registry's home jurisdiction as the only path. Other ccTLDs carry geopolitical baggage--.ru (Russia), .ir (Iran), and .sy (Syria), for example--that can affect how a domain is perceived or whether it raises sanctions and compliance concerns for an international business; .ir and .sy in particular have very limited adoption outside their home countries, due in part to sanctions and political restrictions.

Sponsored TLDs (sTLDs)

A sponsored top-level domain is a specialized gTLD with a defined community sponsor and eligibility rules the sponsor enforces. Examples include .aero (the air-transport industry), .coop (cooperatives), .museum (museums), and .jobs (human-resources use). The sponsor acts as a gatekeeper, so registrants typically must show they belong to the relevant community. Sponsored TLDs matter legally because the eligibility restrictions can themselves be a defense against, or a complement to, brand-abuse claims--an impostor often cannot even register in a tightly sponsored space, which converts the problem from after-the-fact enforcement into front-end prevention.

New gTLDs

The biggest change to the TLD landscape came from ICANN's new gTLD program, which opened the gTLD space to hundreds of new strings. These include descriptive words (.app, .tech, .shop, .blog, .law, .bank), geographic and cultural terms (.nyc, .london, .berlin), internationalized strings in non-Latin scripts (early delegations included the Chinese 游戏 for "game" and the Arabic شبكة for "network"), and .brand TLDs that a single company operates for itself (for example, a hypothetical Acme Corp. running .acme). Because these strings did not exist before, and because some are obvious targets for abuse, ICANN engineered an entire suite of trademark protections into the program, discussed below. The new gTLD program is the legal center of gravity for modern TLD practice, and it repays understanding both how it works and why it exists.

Distinct from all of the above are blockchain "domains" such as .eth (Ethereum Name Service) and similar Web3 naming systems. These look like TLDs but exist entirely outside the ICANN-coordinated DNS root: they resolve only through specialized wallets, browser extensions, or gateways, are recorded on a public ledger rather than in a registry database, and--critically for lawyers--are not subject to the UDRP, the URS, or the ICANN contractual hierarchy. A brand owner cannot use the rights-protection mechanisms described below to recover an infringing .eth name; enforcement, where it is possible at all, depends on ordinary trademark litigation and on the policies (if any) of the particular naming protocol. The collision between blockchain naming and trademark rights is an emerging and largely unsettled area.

ICANN's Role and the New gTLD Program

What ICANN Is and What It Does

The Internet Corporation for Assigned Names and Numbers (ICANN) is a nonprofit organization that coordinates the internet's unique-identifier systems--principally the DNS and the allocation of IP address blocks--so that names and numbers remain unique and globally resolvable. ICANN does not sell domain names. Instead it sits atop a contractual hierarchy: it accredits and contracts with the registries that operate each TLD and with the registrars that sell registrations to the public, and it sets baseline policies through a multi-stakeholder process in which governments, businesses, technical experts, and civil society participate. (The U.S. government historically oversaw the DNS root through an arrangement with ICANN; that stewardship transition concluded in 2016, leaving ICANN's coordination function under the multi-stakeholder community rather than direct government control.)

Three of ICANN's outputs matter most to lawyers and brand owners. First, ICANN's contracts with registries and registrars determine what data must be collected about registrants and how it may be disclosed--the subject of the WHOIS and GDPR discussion below. Second, ICANN promulgated and maintains the Uniform Domain-Name Dispute-Resolution Policy (UDRP), the contract-based, arbitration-like system through which most trademark-versus-domain disputes are resolved. Third, ICANN designed the new gTLD program and its rights-protection mechanisms. In other words, much of the substantive "law" of domain names is not statute at all--it is ICANN policy enforced through private contracts that flow downhill from the registry agreement to the registrar accreditation agreement to the registration agreement the individual registrant clicks through. That contractual architecture is what lets a private policy like the UDRP bind a registrant who never negotiated it.

The New gTLD Program

For most of the internet's history there were only a couple dozen gTLDs. In 2008 ICANN's board approved a program to expand that space dramatically, and after years of policy development the first application round opened in 2012. ICANN received roughly 1,900 applications; by mid-2013 it had executed the first new registry agreements, and the first new gTLDs began launching that fall. Today there are well over a thousand gTLDs in the root, and ICANN has been preparing a next round of applications to allow further additions.

The program's rationale was competition, innovation, and consumer choice--more space, more meaningful names, and the ability of communities and brands to run their own TLDs. But as the Expert Q&A on Brand Protection in the Expanded gTLD Program (Practical Law) and many practitioners observed, the expansion also multiplied the surface area for abuse. Every new gTLD creates a fresh namespace in which a cybersquatter can register acme.tech, acme.shop, or acme.app, and accompanying second-level space invites a corresponding rise in phishing, counterfeiting, and consumer deception. Brand owners faced the prospect of monitoring, and potentially defensively registering, their marks across hundreds of new endings--an enormous and recurring cost. To contain it, ICANN required every new gTLD registry to implement a standardized set of rights-protection mechanisms (RPMs), described in detail below. Those mechanisms are the program's most important legal feature, and they represent a deliberate policy bargain: more namespace in exchange for built-in, system-wide trademark safeguards.

For brand owners building a coherent protection strategy across this expanded landscape, see Brand Protection Online: A Strategic Guide for Businesses.

The Registry-Registrar-Registrant Chain

Domain names are allocated through a three-tier chain, and knowing who occupies each tier is essential to understanding both how to register a name and whom you can (and cannot) hold responsible when something goes wrong.

A registry is the organization that operates a particular TLD--it maintains the authoritative master database of every second-level domain registered under that TLD and publishes the DNS records that make those names resolve. Verisign operates .com and .net; the Public Interest Registry operates .org; Identity Digital operates a large portfolio of new gTLDs; national operators run the ccTLDs. There is exactly one registry per TLD--a structural monopoly at the top of each namespace, which is precisely why ICANN's registry contracts can dictate uniform policy.

A registrar is an ICANN-accredited company that sells registrations in one or more TLDs to the public and interfaces with the registry on the customer's behalf. Familiar registrars include GoDaddy, Namecheap, and many others; there are also "wholesale" registrars that serve resellers. A registrant deals with a registrar, not directly with the registry.

A registrant is the person or entity that registers and holds a particular domain name. People casually say a registrant "owns" the name, but the legal nature of that interest is genuinely unsettled--enough so that it deserves its own discussion.

Is a Domain Name Property?

Courts and commentators have advanced three competing theories about what a registration actually is. The first treats a domain as nothing more than an address, like a postal listing: it locates you but confers no property right. The federal court in Dorer v. Arel, 60 F. Supp. 2d 558 (E.D. Va. 1999), gestured (in dicta) toward this view, suggesting a name has value only to the extent its use adds value. The second theory treats a domain as a form of intangible property. The Ontario Court of Appeal embraced that position in Tucows.com Co. v. Lojas Renner S.A., 2011 ONCA 548, holding that a .com registration is personal, intangible property and observing that "the dominant view emerging from international jurisprudence and academic commentary appears to be that domain names are a new type of intangible property"; some U.S. courts have echoed it (e.g., Caesars World, Inc. v. Caesars-Palace.com, 112 F. Supp. 2d 505 (E.D. Va. 2000)). The third theory treats the registration as a purely contractual right governed by the registration agreement (e.g., Network Solutions, Inc. v. Umbro International, Inc., 529 S.E.2d 80 (Va. 2000)). The UK registry Nominet states the contractual view bluntly in its terms: "A domain name is not an item of property and has no 'owner.' It is an entry on our register database . . . which we provide as part of this contract."

The practical takeaway is that what a registrant holds is, at minimum, a bundle of contractual rights to have a name resolve--rights that can be transferred, but that exist only because of the registry-registrar contracts above them. The label matters in concrete disputes: whether a creditor can garnish a domain, whether a trustee in bankruptcy can sell it, and whether it can be the res in an in rem action (discussed below under the ACPA) all turn on which theory a given court adopts. The cautious assumption is that a valuable domain is an asset worth protecting by contract and good housekeeping, not a deed you can rely on a recording office to defend.

Why the Intermediaries Are Usually Off the Hook

The chain also explains a critical liability point. Because registrars and registries are typically passive intermediaries, courts have generally refused to hold them liable for a customer's cybersquatting. Under the Anticybersquatting Consumer Protection Act, a registrar or registry cannot be liable in damages for registering or maintaining a name for someone else absent its own bad-faith intent to profit (15 U.S.C. 1114(2)(D)(iii)). Courts have applied this protection robustly--see Rigsby v. GoDaddy Inc., 59 F.4th 998, 1006 (9th Cir. 2023) (registrar shielded where its activities did not extend beyond registration); Petroliam Nasional Berhad v. GoDaddy.com, Inc., 737 F.3d 546 (9th Cir. 2013) (no contributory-cybersquatting claim against a registrar); and Bird v. Parsons, 289 F.3d 865, 881 (6th Cir. 2002) (registrars and domain auction sites do not "register or traffic in" names within the meaning of the ACPA). The party to pursue is almost always the registrant.

Domain Acquisition and Transfer

When a registrant buys a name, the registrar checks availability against the registry, collects the required registration data, and creates the registration; the registry then publishes the DNS records. Registrations are leases for a term (commonly one to ten years) and must be renewed. Names can be sold or assigned, typically using a domain name transfer agreement that addresses representations of clear title, the mechanics of the registrar-to-registrar transfer, escrow of the transfer authorization code, and allocation of risk if the transfer fails. Because transfers happen entirely within the registrar/registry system, the buyer's protection comes from the contract plus the technical lock-and-unlock process, not from anything resembling a real-property recording system. A buyer of a high-value name should treat title diligence the way it would for any intangible asset: confirm the seller is the registrant of record, verify the name is unencumbered by a pending UDRP or court order, and condition payment on a confirmed transfer rather than a promise.

WHOIS and the Impact of GDPR

What WHOIS Is

WHOIS (a pun on "who is") is the system of publicly queryable databases that historically published the contact details associated with a domain registration--the registrant's name, organization, postal address, email, and phone number, along with administrative and technical contacts and the registrar of record. For decades WHOIS was the first tool a brand owner or its counsel used when a suspicious domain appeared: a quick lookup often revealed exactly who had registered acme-support.com and how to reach them, which made cease-and-desist letters, UDRP complaints, and ACPA suits far easier to mount.

The GDPR Blackout

Even before the regulatory blackout, many registrants masked their details voluntarily: registrars have long sold an optional domain privacy (or "WHOIS privacy") service that substitutes the registrar's or a proxy provider's contact information for the registrant's own in the public record, shielding the registrant from spammers, data harvesters, and casual snoopers. That changed at scale in 2018, when the EU's General Data Protection Regulation (GDPR) took effect. The GDPR is a comprehensive European data-protection law that restricts the collection, processing, and publication of personal data and imposes large penalties for violations (up to the greater of EUR 20 million or 4% of worldwide annual turnover for the most serious breaches). Because registrant contact details are personal data, registrars and registries faced a conflict between their ICANN contracts (which required them to publish WHOIS data) and EU law (which forbade publishing much of it). Rather than gamble against a regulator, the industry largely went dark: most WHOIS records now display redacted or anonymized registrant information instead of names and addresses.

ICANN responded by issuing a Temporary Specification for gTLD Registration Data that allowed registrars to redact public WHOIS data while requiring them to provide "reasonable access" to the underlying information to parties with a legitimate interest. That standard proved inconsistent in practice--registrars differ widely in how, and whether, they respond to disclosure requests. ICANN's community then worked through an Expedited Policy Development Process toward a System for Standardized Access and Disclosure (SSAD), intended to give trademark owners and law enforcement a structured, credentialed way to request registrant identity when circumstances warrant. The broader trend in global privacy law--illustrated by transfer-mechanism cases like those discussed in International Data Transfers After Schrems II--reinforces that registrant data will remain protected by default, with disclosure the exception. The lesson for brand owners is structural: the era in which a single lookup unmasked a squatter is over, and enforcement workflows have to be rebuilt around that reality.

How Brand Owners Investigate in the Post-GDPR World

The WHOIS blackout did not make cybersquatting investigations impossible; it made them more laborious. Counsel today typically combines several approaches. They check WHOIS anyway, because some registrants authorize disclosure and some registrars still show limited data. They examine the website itself--terms of use, privacy policies, payment pages, SSL certificates, and contact forms frequently reveal the operator. They write directly to the registrar invoking a legitimate interest, while recognizing the registrar may simply forward the request to the registrant (who may then move or hide the name). And when necessary they file suit against a "John Doe" defendant and serve a subpoena on the registrar to compel disclosure of the registrant's identity, sometimes via a motion for early discovery (see, e.g., Marketo, Inc. v. Doe, 2018 WL 6046464 (N.D. Cal. Nov. 19, 2018); Teal v. Gibbs, 2011 WL 13229629 (N.D. Ala. June 28, 2011)). For investigations that ultimately rely on the contents of the suspect website, preserving that evidence properly matters; see Capturing the Web: Authenticating Website Screenshots as Evidence in Federal Court. And a precise, well-supported demand letter is often the efficient first move; see Drafting a Trademark Cease and Desist Letter.

Trademark Protections Built Into the gTLD System

The new gTLD program is unusual among technology systems in that trademark protection is engineered into its architecture rather than bolted on afterward. ICANN required every new gTLD registry to implement a common set of rights-protection mechanisms. The four most important are the Trademark Clearinghouse, the Sunrise and Claims services it powers, the Uniform Rapid Suspension System, and the post-delegation dispute procedures aimed at registries themselves.

The Trademark Clearinghouse (TMCH)

The Trademark Clearinghouse (TMCH) is a single, global database of validated trademark records that powers the program's pre-registration protections. A brand owner submits its mark; the TMCH verifies it; and once verified, the mark becomes the key that unlocks the Sunrise and Claims services across all new gTLDs--a record-once, protect-everywhere design that spares owners from registering separately with each registry. Eligible records include nationally or regionally registered marks, marks validated by a court, and marks protected by statute or treaty. Crucially, unregistered (common-law) marks generally are not eligible, nor are pending applications--so a brand relying on common-law rights must usually obtain a registration before it can take advantage of the TMCH. To use the Sunrise service, the owner must also submit a declaration and proof of use of the mark, typically a specimen and a statement that the mark is in current use.

The TMCH has an important limitation built into its matching rules: it protects only strings that are identical to the recorded mark. If Acme Corp. records the mark BERATE, the TMCH will not flag or block a near-miss like BERAIT. The rules permit a limited set of variations--an owner may record up to ten variant strings (for example, to handle characters like & or @ that are impermissible in domain strings) and up to fifty additional variations that were the subject of a prior successful court action or UDRP proceeding--but the system does not catch typosquatting or confusingly similar misspellings on its own. That gap is why most brand owners pair a TMCH record with a commercial watch service that monitors for confusingly similar registrations across the new gTLDs, including misspellings, homoglyphs, and alternate spellings. Recording a mark in the TMCH is also a natural complement to a broader clearance and registration program; see How to Conduct a Comprehensive Trademark Clearance Search and Federal Trademark Application Checklists: From Preparation to Registration.

Sunrise and Claims Services

The TMCH powers two time-limited services that every new gTLD registry must offer when it launches.

The Sunrise service gives owners of TMCH-recorded marks a head start. Before registration in a new gTLD opens to the general public, there is a Sunrise period (a minimum of 30 days) during which only owners of validated marks may register the matching second-level domain. The traditional "first come, first served" rule of domain allocation is suspended in favor of rights holders. This is what lets Acme Corp. secure acme.shop before a squatter can, provided Acme has recorded ACME in the TMCH and submitted proof of use.

The Claims service follows Sunrise and runs for at least 90 days. During the Claims period, if anyone attempts to register a second-level domain that is an exact match to a TMCH-recorded mark, the registry must display a warning notice to that applicant alerting them to the existing rights. If the applicant proceeds anyway, the registry notifies the mark owner, who can then decide whether to act. Claims does not block registration; it injects friction and surveillance into the process, deterring opportunists and giving the brand owner early warning while the trail is fresh.

The Uniform Rapid Suspension System (URS)

The Uniform Rapid Suspension System (URS) is a fast, inexpensive remedy designed specifically for clear-cut abuse in the new gTLDs. It complements rather than replaces the UDRP: a complainant who loses a URS case may still pursue the UDRP or a court action. To prevail in a URS proceeding, the complainant must show three things, which largely track the UDRP elements:

  1. The disputed domain name is identical or confusingly similar to a word mark for which the complainant holds a valid national or regional registration in current use, or that has been validated by a court, or that is protected by statute or treaty (a TMCH record can satisfy this ownership-and-use showing);
  2. The registrant has no legitimate right or interest in the domain name; and
  3. The domain name was registered and is being used in bad faith.

The differences from the UDRP are deliberate. The URS applies a higher burden of proof (clear and convincing evidence), is meant for "slam dunk" cases, carries lower fees, and offers a narrower remedy: a successful complainant gets the domain suspended for the balance of the registration period (so it resolves to a notice page), not transferred to the complainant. A brand owner who actually wants to acquire the name, or who has a fact-intensive case, will still prefer the UDRP or the ACPA. In practice the URS is the right tool for high-volume, obvious squats--a counterfeit-storefront domain you want dark by next week--while the UDRP is the workhorse for everything you want to keep.

Post-Delegation Dispute Procedures

The mechanisms above target individual registrants. ICANN also created post-delegation dispute resolution procedures (PDDRPs) aimed at the conduct of new gTLD registries themselves. The Trademark PDDRP lets a brand owner complain that a registry operator is affirmatively facilitating or profiting from trademark infringement at the top or second level of its TLD--for example, by operating a TLD in a manner that systematically encourages infringing registrations. Companion procedures, such as the Registration Restrictions PDDRP, address registries that fail to enforce the eligibility restrictions they promised. These registry-level procedures are rarely invoked, but they are an important structural backstop: they make the operator of a TLD, not just individual squatters, accountable for systemic abuse, and their existence helps keep registry behavior in line even when they sit unused.

Domain Name Disputes: The UDRP and the ACPA

When a brand owner finds its mark embedded in someone else's domain name, it generally has two principal weapons: the contract-based UDRP and the federal statutory cause of action under the Anticybersquatting Consumer Protection Act (ACPA). They are not mutually exclusive, and they serve different purposes. Understanding the trade-offs is the heart of domain-dispute strategy.

Cybersquatting and Its Mirror Image

Cybersquatting (also called cyberpiracy) is, broadly, registering a domain name that incorporates another's trademark in order to profit from the mark--by ransoming the name back to the brand owner, by diverting the brand's customers to the registrant's own site, or by trading on the mark's goodwill. The classic early cases were exactly that brazen: a registrant grabs a famous mark before its owner thinks to, then waits to be paid. Typosquatting is a refinement--registering predictable misspellings (gooogle.com, amazonn.com) to catch fat-fingered traffic.

The mirror image is reverse domain name hijacking, in which a large rights holder uses its legal and financial muscle to try to strip a legitimate registrant of a valuable name. The early disputes over ordinary English words like "Prince" and "Clue"--each a registered mark for someone but also a perfectly ordinary word a non-infringing registrant might want--showed how the cudgel could swing the other way. Both the UDRP and the ACPA contain safeguards against overreach, and a UDRP panel can formally find that a complainant attempted reverse hijacking, a finding that carries reputational sting and can be cited against the complainant later.

The UDRP

The Uniform Domain-Name Dispute-Resolution Policy (UDRP) is an ICANN policy adopted in 1999 and incorporated by reference into every gTLD registration agreement (many ccTLDs have adopted their own variants). It is not litigation; it is a streamlined administrative proceeding decided on written submissions by a panel at an approved dispute-resolution service provider (DRSP), principally the World Intellectual Property Organization (WIPO) and the FORUM. To prevail, a complainant must prove three elements:

  1. The respondent's domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights;
  2. The respondent has no rights or legitimate interests in the domain name; and
  3. The domain name was registered and is being used in bad faith.

The UDRP's appeal is speed and cost: a typical case resolves in roughly two months for a few thousand dollars in fees, with no discovery, no live testimony, and worldwide reach regardless of where the registrant sits. Its limits are equally important. The only remedies are cancellation or transfer of the name--no damages, no injunction against other uses of the mark, and no order reaching conduct beyond the domain itself. The "registered and used in bad faith" element is conjunctive in most panel decisions, which can defeat a complaint against a name registered innocently and only later put to abusive use--a meaningful gap, because a defendant who bought a name in good faith years ago is hard to reach under the UDRP even if the name is now misbehaving. And a complainant who overreaches risks a reverse-hijacking finding and the precedential drag of a published loss. For the mechanics of preparing and filing a complaint--selecting a DRSP, drafting the bad-faith allegations, and navigating the registrar lock--see How to File a UDRP Complaint for Domain Name Disputes.

One procedural wrinkle worth flagging: under rules revised in 2015, the complainant files only with the DRSP, which then serves the respondent and notifies the registrar; the registrar must lock the disputed name (preventing transfer or deletion) within two business days of notice and before any notice reaches the respondent, so a squatter cannot simply flee mid-case by shuffling the name to a new registrar or a confederate.

The ACPA: 15 U.S.C. 1125(d)

Congress enacted the Anticybersquatting Consumer Protection Act of 1999, codified at 15 U.S.C. 1125(d) as Section 43(d) of the Lanham Act, to give trademark owners a true federal cause of action against cybersquatters--something the UDRP, as a private contract, cannot provide. Although courts phrase the elements slightly differently, a plaintiff must establish that:

  1. It owns a valid trademark that was distinctive or famous as of the date the challenged domain name was registered;
  2. The defendant registered, trafficked in, or used the challenged domain name;
  3. The domain name is identical or confusingly similar to (or, for famous marks, dilutive of) the plaintiff's mark; and
  4. The defendant acted with a bad-faith intent to profit from the plaintiff's mark.

(See 15 U.S.C. 1125(d); DaimlerChrysler v. The Net Inc., 388 F.3d 201, 204 (6th Cir. 2004).) A federal registration creates a presumption of valid ownership (15 U.S.C. 1057(b)) and of distinctiveness as of the registration date, but a registration is not required--common-law rights established by use in U.S. commerce will support an ACPA claim (Lahoti v. VeriCheck, Inc., 586 F.3d 1190, 1196-97 (9th Cir. 2009)). Distinctiveness or fame is measured as of the date the challenged domain was registered, so a mark that became distinctive only afterward generally cannot support the claim (GoPets Ltd. v. Hise, 657 F.3d 1024, 1032 (9th Cir. 2011)).

The Nine Bad-Faith Factors

The defining element is bad-faith intent to profit. The statute supplies a non-exhaustive list of nine factors courts may weigh (15 U.S.C. 1125(d)(1)(B)(i)), which can be summarized as: (1) any trademark or other rights the registrant has in the name; (2) whether the name is the registrant's own legal or commonly used name; (3) the registrant's prior bona fide use of the name in offering goods or services; (4) bona fide noncommercial or fair use of the mark on a site at the name; (5) intent to divert the mark owner's customers in a way that harms the mark's goodwill, whether for profit or to tarnish; (6) an offer to sell the name to the mark owner for profit without having used it bona fide; (7) providing false contact information or failing to maintain accurate information when registering; (8) registering multiple names the registrant knows are others' marks; and (9) the extent to which the mark is or is not distinctive or famous. The factors are a guide, not a checklist--courts weigh them holistically and routinely find bad faith (or its absence) without a clean tally. The statute also includes a safe harbor: a registrant who believed and had reasonable grounds to believe the use was fair or otherwise lawful is not liable. Courts construe that safe harbor narrowly, reserving it for genuinely close cases and refusing to let it rescue a defendant whose own conduct (false WHOIS data, a pattern of registrations, an offer to sell) betrays the requisite intent. See, e.g., People for the Ethical Treatment of Animals v. Doughney, 263 F.3d 359, 369 (4th Cir. 2001) (rejecting a safe-harbor defense where the registrant knew he was using another's mark).

Remedies, In Rem Jurisdiction, and Where the ACPA Beats the UDRP

The ACPA's advantages over the UDRP are remedial and jurisdictional. A successful ACPA plaintiff can obtain transfer or cancellation and monetary relief, including the cybersquatter's profits, actual damages, or, at the plaintiff's election, statutory damages of $1,000 to $100,000 per domain name (15 U.S.C. 1117(d)), plus attorney's fees in exceptional cases. Statutory damages are the ACPA's teeth: they let a plaintiff recover without proving actual loss--often impossible against a parked name--and they scale with the number of infringing domains, which is what makes the statute the right tool against a serial squatter holding dozens of variants.

The ACPA also solves the "anonymous or foreign squatter" problem through in rem jurisdiction: where the registrant cannot be found or is beyond the court's personal jurisdiction, the owner may sue the domain name itself in the judicial district where the registry or registrar is located (15 U.S.C. 1125(d)(2)). For .com names, that frequently means the Eastern District of Virginia, home to Verisign--a forum with deep experience in such actions. The trade-off is that in rem actions yield only transfer or cancellation--no money. The ACPA applies to names registered before, on, or after its November 29, 1999 enactment, subject to jurisdiction, with monetary relief limited for pre-enactment conduct (PETA v. Doughney, 263 F.3d at 368).

Notably, the ACPA can also be used to challenge a UDRP outcome. A registrant who loses a UDRP proceeding can bring a federal action seeking a declaration of non-cybersquatting and reversal of the transfer, and a brand owner who loses a UDRP can sue under the ACPA for a fresh, de novo adjudication with discovery and damages. The two systems thus interlock: the UDRP is the fast, cheap first resort, and the ACPA is the heavier instrument for high-stakes, fact-intensive, or money-on-the-table disputes. A separate provision, 15 U.S.C. 8131 (originally 15 U.S.C. 1129), addresses personal-name cybersquatting--registering a living person's name as a domain without consent and with the specific intent to profit by selling it--which is narrower than the trademark claim and reaches the squatter who targets an individual rather than a brand. Overlapping name disputes can also implicate the right of publicity; see Right of Publicity Basics.

For the trademark-confusion analysis that underlies the "confusingly similar" element in both systems, see Navigating the Maze of Trademark Confusion: Key Considerations for Brand Owners. Cybersquatting claims are also frequently paired with ordinary trademark-infringement and dilution claims when the squatter's use of the name is likely to confuse consumers; the foundational vocabulary for those claims is laid out in Trademark Basics.

A Worked Example: Choosing Between the Tools

The following is a hypothetical. Suppose Acme Corp. owns a federally registered, well-known mark ACME for cloud software and discovers that a stranger has registered acme-cloud-login.com, populated it with sponsored links to competing products, and listed it for sale at $25,000. Acme's quickest path is a UDRP complaint with WIPO: the name is confusingly similar to ACME, the registrant has no legitimate interest, and the pay-per-click parking plus the sale offer evidence bad-faith registration and use. If Acme wins, the name is transferred in roughly two months for a few thousand dollars.

Now change two facts. Suppose the same stranger has also grabbed acme-support.com, acme-billing.com, and eight other variants, and has hidden behind a privacy service so Acme cannot identify a human defendant. Here the UDRP's transfer-only remedy and one-name-at-a-time posture undersell Acme's case. An ACPA suit lets Acme aggregate the eleven domains, elect statutory damages (potentially up to $100,000 per name), recover fees if the case is exceptional, and--because the squatter is anonymous and may be overseas--proceed in rem against the names in the district where the registrar sits, naming the domains themselves as defendants. The choice always turns on the same three questions: do you want the name or the money, how strong is your bad-faith evidence, and how much are you willing to spend to get a difficult or invisible defendant.

How the USPTO Treats TLDs in Trademarks

A persistent question for brand owners is whether the TLD portion of a domain name has any independent trademark significance. The U.S. Patent and Trademark Office's traditional answer is essentially "no": a TLD by itself does not function as a source identifier and adds little or nothing to the distinctiveness analysis. When an applicant seeks to register a mark consisting of a domain name, the examining attorney typically evaluates the second-level portion and treats the gTLD (like .com) as the equivalent of a corporate designation--background matter signaling "this is a commercial website" rather than identifying a particular source. So SOFTWARE.COM for software is no more registrable than SOFTWARE alone; bolting .com onto a generic or merely descriptive term usually does not rescue it. A domain can, however, acquire trademark significance through use--the relationship between a domain and a mark is laid out in Copyright vs Trademark: What Is the Difference and the trademark fundamentals in Trademark Basics.

Booking.com and the End of a Per Se Rule

That tidy rule met its limit in United States Patent and Trademark Office v. Booking.com B.V., 591 U.S. 549 (2020). The USPTO had refused to register BOOKING.COM for online hotel-reservation services, contending that "booking" is generic for that service and that adding the generic .com could never yield anything but a generic, unregistrable whole--a categorical, Goodyear-style rule (after Goodyear's India Rubber Glove Mfg. Co. v. Goodyear Rubber Co., 128 U.S. 598 (1888)) that a generic word plus a corporate or commercial designation is always generic. The Supreme Court, 8-1 in an opinion by Justice Ginsburg, rejected the per se rule. The Court held that whether a "generic.com" term is itself generic depends on whether consumers in fact perceive the term as a class of services or as identifying a particular source. Because only one entity can occupy a given domain name at a time, a "generic.com" term can convey to consumers an association with a specific website and thus operate as a source identifier; the survey and record evidence showed consumers understood BOOKING.COM to refer to the company, not to online booking generally.

Three points from Booking.com matter in practice. First, there is no automatic rule either way: a "generic.com" term is neither automatically generic nor automatically registrable; the question turns on consumer perception, is fact-intensive, and is usually proven (or rebutted) with survey evidence. Second, the Court was candid that such marks, even when registrable, may be weak--close to the generic line, entitled to a narrow scope of protection, and unable to stop others from using the underlying generic term or even similar generic.com formations. Justice Breyer's dissent warned that registering near-generic terms risks anti-competitive monopolization of ordinary language, and the majority's "weak rights" caveat is the doctrinal answer to that worry. Third, the decision is confined to the genericness question; descriptive generic.com terms still need to show acquired distinctiveness (secondary meaning) to register on the Principal Register. For applicants weighing whether a domain-style mark is worth pursuing, this is squarely a clearance-and-strategy question; see How to File a Trademark Application with the USPTO and the Federal Trademark Application Checklists.

The practical upshot is nuanced. A company can sometimes register and build rights in a generic.com brand--but it should expect a heavier evidentiary burden, a narrower enforcement zone, and the reality that competitors may use similar terms with relative impunity. A coined or distinctive second-level term (the kind of made-up word that no competitor needs) remains far stronger and easier to protect than a descriptive-plus-.com formation, and that asymmetry should drive naming decisions long before any application is filed.

Practical Guidance for Brand Owners

The legal architecture above translates into a concrete playbook. The following guidance is general; specific decisions should be made with counsel.

Choose the second-level term for strength, not just availability. The single most consequential trademark decision is the brand name itself. A coined or arbitrary term is inherently distinctive, easy to clear, easy to register, and easy to defend across TLDs. A descriptive term, even paired with a clever TLD, invites refusals, weak rights, and crowded fields. Run a clearance search before committing--see How to Conduct a Comprehensive Trademark Clearance Search.

Secure the obvious TLDs, then rationalize. Most businesses should hold the .com of their primary brand regardless of which TLD they market under, because .com remains the default consumers type and the most valuable target for squatters. Beyond that, defensive registration should be strategic rather than exhaustive: registering a brand in every one of a thousand-plus gTLDs is neither affordable nor sensible. Prioritize the TLDs that match the business sector (.app, .tech, .bank, .law), the relevant geographies, and the most likely abuse targets (common misspellings, "[brand]-support," "[brand]-login").

Use the TMCH and watch services together. Record key marks in the Trademark Clearinghouse to unlock Sunrise (to grab exact matches first) and Claims (to get early warnings)--but remember the TMCH catches only identical strings. Layer a commercial watch service on top to catch the confusingly similar and typosquatted registrations the TMCH misses.

Match the enforcement tool to the goal. For a clear, low-value squat where you just want the name gone, the URS (suspension) or the UDRP (transfer) is fast and cheap. For high-value names, serial squatters, anonymous or foreign registrants, or where you want damages, use the ACPA (15 U.S.C. 1125(d)), including in rem actions and statutory damages. A cease-and-desist letter is often the efficient first step and resolves many disputes without any proceeding; see Drafting a Trademark Cease and Desist Letter.

Build investigation into your process. Because GDPR has gone the WHOIS data dark, identify abuse early through monitoring, preserve the offending website properly for evidence, and be prepared to subpoena the registrar or file a John Doe action to unmask an anonymous registrant.

Treat domains as assets. Track renewal dates (lapsed renewals are a leading cause of losing a valuable name to a "drop-catcher" that pounces the instant it expires), lock high-value names against transfer, enable registrar-level two-factor authentication, consolidate the portfolio at a reputable registrar, and use written transfer agreements when buying or selling names. Domain security--protecting registrar accounts and DNS records against hijacking--belongs in the same risk program as cybersecurity generally.

These steps fit within a comprehensive online-brand strategy; for the full framework, see Brand Protection Online: A Strategic Guide for Businesses.

Key Takeaways

A top-level domain is the rightmost segment of a domain name and the level of the DNS hierarchy ICANN governs most directly through contracts. TLDs come in several flavors--legacy and new generic TLDs, country-code TLDs (many repurposed far from their origins), and sponsored TLDs--each with its own operator and rules. Names are allocated through a registry-registrar-registrant chain, and because registrars and registries are passive intermediaries, the party to pursue for abuse is almost always the registrant. Whether the registrant "owns" anything is genuinely contested: courts have called a domain an address, intangible property, and a bare contract right, and the answer can decide who controls a valuable name in bankruptcy, garnishment, or an in rem suit. WHOIS once made registrants easy to find, but GDPR has redacted most public registration data, forcing brand owners to investigate through website content, registrar requests, and subpoenas. The new gTLD program bakes trademark protection into its structure through the Trademark Clearinghouse, Sunrise and Claims services, the Uniform Rapid Suspension System, and registry-level post-delegation procedures. When abuse occurs, the UDRP offers a fast, cheap transfer remedy and the ACPA (15 U.S.C. 1125(d)) offers federal damages, statutory damages, and in rem jurisdiction. And inside trademark law itself, TLDs generally carry little independent significance--except that, after Booking.com B.V., 591 U.S. 549 (2020), a "generic.com" term can sometimes function as a (often weak) source identifier if consumers perceive it that way.

Frequently Asked Questions

Is a domain name the same thing as a trademark? No. A domain name is a registered address in the DNS, allocated through a registrar by contract; a trademark is a source identifier protected by trademark law. They overlap when a domain functions as a brand, and a domain can acquire trademark rights through use--but registering a domain does not grant trademark rights, and owning a trademark does not automatically entitle you to the matching domain. The two systems are governed by entirely different rules.

Do I actually "own" my domain name? It depends whom you ask and which court you are in. Some authorities treat a domain as a mere address with no property value; the Ontario Court of Appeal in Tucows.com Co. v. Lojas Renner S.A. treated a .com name as intangible personal property; and still other courts (and registries like Nominet) treat it as a pure contractual right. For practical purposes, assume you hold a valuable, transferable bundle of contract rights--worth protecting with renewals, transfer locks, and written transfer agreements--rather than a deed backed by a public recording system.

Can I lose a domain just because someone else has a trademark in the name? Not automatically. A trademark owner must actually prevail under the UDRP, the URS, or the ACPA, each of which requires proof that you lack a legitimate interest in the name and that you registered or used it in bad faith. A registrant with a genuine, good-faith reason for the name--its own name, a descriptive use, legitimate prior business use, or noncommercial fair use--has real defenses, and an overreaching complainant can even be found to have attempted reverse domain name hijacking.

Should my company register its brand in every new gTLD? Almost never. With well over a thousand gTLDs, blanket defensive registration is unaffordable and unnecessary. The better approach is to secure the .com and a strategic handful of sector- and geography-relevant TLDs, record key marks in the Trademark Clearinghouse for Sunrise and Claims protection, and use a watch service plus the UDRP/URS/ACPA to police the rest.

Why can't I find out who registered a domain anymore? Because of the EU's GDPR, which took effect in 2018. Registrant contact details are personal data, so registrars now redact most public WHOIS information. You can still try the website's own content, a legitimate-interest request to the registrar, ICANN's developing standardized-access framework, or a subpoena/John Doe lawsuit to unmask an anonymous registrant.

Does adding ".com" to a generic word make it a registrable trademark? Sometimes, but not as a rule. After Booking.com, the USPTO cannot treat "generic.com" as automatically generic; registrability turns on whether consumers perceive the term as identifying a particular source, typically shown with survey evidence. Even when registrable, such marks are usually weak and narrow, and descriptive ones still need to prove acquired distinctiveness.

What is the difference between the UDRP and the ACPA? The UDRP is an ICANN contract-based administrative process--fast, inexpensive, global, but limited to transferring or cancelling the name. The ACPA (15 U.S.C. 1125(d)) is a U.S. federal statute that adds damages (including statutory damages of $1,000-$100,000 per name), attorney's fees in exceptional cases, and in rem jurisdiction over the name itself, at the cost of full litigation. Many brand owners start with the UDRP and escalate to the ACPA when money or a difficult defendant is involved.

The squatter is overseas and hiding behind a privacy service. Can I still get the name? Yes. The ACPA's in rem provision lets you sue the domain name itself in the district where the registry or registrar is located when you cannot find or reach the registrant personally (15 U.S.C. 1125(d)(2))--for many .com disputes, the Eastern District of Virginia. The catch is that an in rem action gets you only transfer or cancellation, not money; if you want damages, you need to identify and serve the human or entity behind the name.

Related Articles

Disclaimer: This article is provided for general informational purposes only and does not constitute legal advice. It does not create an attorney-client relationship. Domain name, trademark, and internet-governance rules change over time and turn on specific facts. Readers should consult qualified counsel before acting on any matter discussed here.