Originally published at https://monstadomains.com/blog/domain-transfer-lock-policy/
The domain transfer lock policy that has trapped domain owners in bureaucratic waiting periods for over a decade is finally getting dismantled. Following a unanimous vote at ICANN 82 in Seattle, the GNSO Council approved 47 policy recommendations that will cut the domain transfer lock policy wait time from 60 days to just 30 – and completely abolish the version of the domain transfer lock policy triggered every time a registrant updates their contact details. This is the most significant structural change to domain transfers in more than 20 years, and it has real implications for anyone who values the ability to move their domains quickly and privately.
What ICANN Just Approved and Why It Matters Now
In early 2026, the Generic Names Supporting Organization Council voted unanimously to adopt the final recommendations from its Transfer Policy Review Working Group. The 163-page report – the result of years of multi-stakeholder deliberation – targets the entire domain transfer lifecycle, from inter-registrar moves to ownership changes and bulk portfolio migrations. The domain transfer lock policy is addressed directly across multiple recommendations in that report. This is not a proposal or a pilot. The GNSO Council vote means the recommendations now proceed to ICANN’s board of directors for ratification, after which compliance becomes mandatory for all accredited registrars worldwide.
The Domain Transfer Lock Policy That Frustrated Millions
The domain transfer lock policy as it has existed was a two-headed constraint. First, every new domain registration and every completed transfer automatically triggered a 60-day lock preventing any further inter-registrar move. Second – and far more disruptive – any change to the registrant name, organisation, or email address triggered a separate domain transfer lock policy window of another 60 days. Miss a typo in your registrant email? Fix your business name? You were immediately locked for two months. The original purpose of the domain transfer lock policy was anti-fraud: giving registrars time to detect and reverse unauthorised account takeovers before stolen domains disappeared to sleazy offshore operators. Reasonable in theory. Painful in practice for every legitimate owner who ever wanted to leave a registrar on short notice.
The Contact Change Trap
The contact-change version of the domain transfer lock policy was particularly damaging for privacy-conscious users. Because updating an email address – something privacy advocates recommend doing regularly to limit exposure – automatically triggered the domain transfer lock policy, many users simply stopped refreshing their registrant details. Security researchers flagged this as a perverse outcome: the domain transfer lock policy designed to protect domain ownership ended up discouraging the same hygiene practices that make domain accounts more secure. Registrars knew this problem existed. It appeared in industry reviews going back to 2018 and nothing changed until now.
Inside the GNSO Council Vote
The 47 recommendations approved cover the full scope of domain transfer procedures. The GNSO Council – the body responsible for generic TLD policy recommendations – voted unanimously to adopt the working group’s final report. Unanimous votes at ICANN are rare. The fact that all constituencies, from registries and registrars to non-commercial stakeholders and individual domain holders, agreed on the direction signals genuine industry consensus that the current domain transfer lock policy rules are indefensible in their present form. The recommendations now go to ICANN’s board for ratification. Implementation timelines will follow that process, but the policy direction is set.
According to ICANN’s official Transfer Policy documentation, the existing domain transfer lock policy framework has been in place largely unchanged since the early 2000s. The working group tasked with reviewing it is reported to have produced the most comprehensive overhaul ever undertaken of registrar transfer procedures. The scope – 47 separate recommendations – reflects just how thoroughly the current domain transfer lock policy and its surrounding rules needed rethinking.
From 60 Days to 30 Days – The New Transfer Rules
Under the approved recommendations, the domain transfer lock policy for new registrations and completed transfers shrinks from 60 days to 30 days (720 hours precisely). That is meaningful but not revolutionary. The bigger change is the outright elimination of the domain transfer lock policy that applied to registrant contact changes. Under the new framework, updating your name, organisation name, or email address will not trigger any additional domain transfer lock policy delay. You can update your registrant details today and submit a transfer tomorrow without penalty. For anyone who has ever been stuck watching a 60-day countdown because they corrected a typo, this is a significant quality-of-life change.
Bulk Portfolio Transfer Rules Standardised
The report also standardises bulk domain transfer procedures for the first time under a defined process called BTAPPA – Bulk Transfer After Partial Portfolio Acquisition. For portfolios exceeding 50,000 domains, a maximum administrative charge of $50,000 applies. This addresses a long-running grey area where registrars could drag out or monetise large bulk moves with little accountability. Privacy-first registrars who serve users with multiple domains will need to update their transfer processes accordingly once the rules are ratified. For individual domain owners, the BTAPPA framework is less relevant – but it signals ICANN is finally treating large-scale transfers as a distinct use case that requires its own ruleset.
What the Domain Transfer Lock Policy Meant for Privacy
For users who rotate registrars to avoid long-term data profiling – a legitimate and widely recommended practice in privacy circles – the domain transfer lock policy has been a concrete barrier. Every time you moved to a new registrar, you were locked into that relationship for two months minimum. If the registrar changed its terms, got acquired, or started demanding documentation, you had no clean exit for 60 days. The domain transfer lock policy made registrar loyalty compulsory rather than earned. This is not a hypothetical: registrar acquisitions are common, and domain transfers are a basic tool for maintaining control over your own infrastructure.
According to the Electronic Frontier Foundation’s analysis of WHOIS and domain privacy, domain registration data is routinely accessed by third parties including law enforcement, private investigators, and data brokers – making the choice of registrar, and the ability to switch registrars freely, a direct privacy decision. A domain transfer lock policy that makes it hard to leave a registrar is, from this perspective, a policy that makes surveillance easier by keeping users in relationships they might otherwise exit. The EFF has long argued that registrant flexibility is inseparable from registrant privacy.
As of mid-April 2026, there are over 244 million active registered domains across 1,105 TLDs, according to ABTdomain’s active pool statistics. Every one of those registrations has at some point been subject to the domain transfer lock policy in some form. The scale of the problem the reform is solving is not small.
The Broader ICANN Privacy Shift
The transfer policy reform does not exist in isolation. In August 2025, ICANN’s Registration Data Policy came into force, requiring all accredited registrars to permanently delete historical administrative, billing, and technical contact data. Registrars can no longer require this information from registrants, and old records must be purged. Combined with the incoming changes to the domain transfer lock policy, these two reforms represent a meaningful – if slow-moving – shift in how ICANN-accredited registrars are permitted to collect and retain registrant data. The direction of travel is toward less data collection and more registrant flexibility.
The Registration Data Policy changes reduce the data trail that a domain registration creates – but only at registrars who are ICANN-accredited and compliant. Privacy-focused providers who operate with stricter privacy standards by default have always offered more flexibility here, which is why privacy-conscious users often choose them ahead of mainstream registrars waiting on ICANN mandates to update their practices. The domain transfer lock policy reform will eventually extend that flexibility to the accredited tier as well – once ratification and implementation deadlines are confirmed.
What Domain Owners Should Do Right Now
The GNSO vote is the policy signal, not the implementation date. Until ICANN’s board ratifies the recommendations and sets a compliance deadline, the current 60-day domain transfer lock policy remains in force at all ICANN-accredited registrars. Transfers you initiate today are still subject to the old rules. Watch ICANN’s official announcements for the board ratification date, expected in the coming months. Once ratified, registrars will receive an implementation window – typically 12 to 18 months for major policy changes – before enforcement begins. Do not assume your registrar has already changed its lock period.
If you are planning to move your domains and your primary concern is speed or anonymity, it is worth noting that registrars already operating outside ICANN’s mandatory framework are not subject to the same compliance timeline. The domain transfer lock policy as written by ICANN applies to accredited registrars. If your provider operates with a different structure, check their specific transfer terms directly. For activists, journalists, and others using zero KYC domain registration for operational security reasons, the contact-change component is the most practically relevant update once it takes effect.
The ability to update your registrant email without triggering a domain transfer lock policy lockout means you can rotate contact addresses more freely going forward – an important capability for anyone managing domains tied to sensitive work. Until then, plan your contact updates and transfer windows accordingly and avoid triggering both in the same 60-day window under the existing rules.
The Bottom Line
The GNSO Council’s unanimous vote to reform the domain transfer lock policy is a genuine win for domain owners – not just large portfolio holders who lobbied for it, but anyone who has been stuck waiting out a 60-day countdown after correcting a typo. The elimination of the contact-change-triggered domain transfer lock policy removes one of the most frustrating friction points in the registrar ecosystem. The reduction from 60 to 30 days is the smaller but still meaningful half of the reform.
Paired with the Registration Data Policy changes that took effect in August 2025, this marks a slow but genuine trend toward registrant-first policy at ICANN – one where data minimisation and transfer flexibility are becoming baseline expectations rather than optional extras. The domain transfer lock policy was one of the last major holdouts from an era when registrar lock-in was treated as a feature. Implementation will take time, but the direction is set and the vote was unanimous.
If you want your domain already registered in a way that minimises the data trail – before ICANN’s updated rules even kick in – MonstaDomains offers private domain transfers with no identity verification requirements and crypto payment options, so you are not waiting on policy ratification timelines to start protecting your online presence.
