diff --git a/app/controllers/api/v1/registrant/contacts_controller.rb b/app/controllers/api/v1/registrant/contacts_controller.rb
index c405e1c5f..bbaa3fcb5 100644
--- a/app/controllers/api/v1/registrant/contacts_controller.rb
+++ b/app/controllers/api/v1/registrant/contacts_controller.rb
@@ -50,6 +50,13 @@ module Api
           reparsed_request = reparsed_request(request.body.string)
           disclosed_attributes = reparsed_request[:disclosed_attributes]
 
+          if disclosed_attributes.present?
+            extra_attrs = disclosed_attributes - Contact::DISCLOSE_ATTRIBUTES
+            attributes_not_exist_error(extra_attrs) and return if extra_attrs.present?
+          end
+
+          # render_disclosed_attributes_error and return if disclosed_attributes.present? && contact.org?
+
           contact.disclosed_attributes = disclosed_attributes if disclosed_attributes
           publishable = reparsed_request[:registrant_publishable]
           contact.registrant_publishable = publishable if publishable.in? [true, false]
@@ -116,6 +123,11 @@ module Api
           )
         end
 
+        def attributes_not_exist_error(extra_attrs)
+          error_msg = "Request contains extra attributes: #{extra_attrs.join(', ')}"
+          render json: { errors: [{ disclosed_attributes: [error_msg] }] }, status: :bad_request
+        end
+
         def render_address_error
           error_msg = 'Address processing is disabled and therefore cannot be updated'
           render json: { errors: [{ address: [error_msg] }] }, status: :bad_request
diff --git a/app/models/contact.rb b/app/models/contact.rb
index e4a2a26ee..1ffbaa18f 100644
--- a/app/models/contact.rb
+++ b/app/models/contact.rb
@@ -147,6 +147,15 @@ class Contact < ApplicationRecord
   # "clientDeleteProhibited" or "serverDeleteProhibited" status.
   PENDING_DELETE = 'pendingDelete'.freeze
 
+  DISCLOSE_ATTRIBUTES = %w[
+    name
+    email
+    phone
+    registrant_publishable
+    address
+    fax
+  ].freeze
+
   STATUSES = [
     CLIENT_DELETE_PROHIBITED, SERVER_DELETE_PROHIBITED,
     CLIENT_TRANSFER_PROHIBITED,
diff --git a/test/integration/api/v1/registrant/contacts/update_test.rb b/test/integration/api/v1/registrant/contacts/update_test.rb
index 1acc639bd..79cb8ab3c 100644
--- a/test/integration/api/v1/registrant/contacts/update_test.rb
+++ b/test/integration/api/v1/registrant/contacts/update_test.rb
@@ -9,7 +9,6 @@ class RegistrantApiV1ContactUpdateTest < ActionDispatch::IntegrationTest
     @original_address_processing = Setting.address_processing
     @original_fax_enabled_setting = ENV['fax_enabled']
     @user = users(:registrant)
-
   end
 
   teardown do
@@ -91,18 +90,18 @@ class RegistrantApiV1ContactUpdateTest < ActionDispatch::IntegrationTest
                  @contact.address
   end
 
-  # def test_update_address_when_enabled_without_address_params
-  #   Setting.address_processing = false
+  def test_update_address_when_enabled_without_address_params
+    Setting.address_processing = false
 
-  #   patch api_v1_registrant_contact_path(@contact.uuid), params: { address: { } },
-  #         as: :json,
-  #         headers: { 'HTTP_AUTHORIZATION' => auth_token }
+    patch api_v1_registrant_contact_path(@contact.uuid), params: { address: { } },
+          as: :json,
+          headers: { 'HTTP_AUTHORIZATION' => auth_token }
 
-  #   assert_response :bad_request
-  #   @contact.reload
-  #   assert_equal Contact::Address.new(nil, nil, nil, nil, nil),
-  #                @contact.address
-  # end
+    assert_response :bad_request
+    @contact.reload
+    assert_equal Contact::Address.new(nil, nil, nil, nil, nil),
+                 @contact.address
+  end
 
   def test_address_is_optional_when_enabled
     Setting.address_processing = true
@@ -179,7 +178,7 @@ class RegistrantApiV1ContactUpdateTest < ActionDispatch::IntegrationTest
   # def test_legal_persons_disclosed_attributes_cannot_be_changed
   #   @contact = contacts(:acme_ltd)
 
-  #   # contacts(:acme_ltd).ident
+  #   contacts(:acme_ltd).ident
   #   assert_equal '1234567', @contact.ident
 
   #   assert_equal Contact::ORG, @contact.ident_type
@@ -254,20 +253,20 @@ class RegistrantApiV1ContactUpdateTest < ActionDispatch::IntegrationTest
                                                                               symbolize_names: true)
   end
 
-  # def test_org_disclosed_attributes
-  #   patch api_v1_registrant_contact_path(@contact_org.uuid), params: { disclosed_attributes: ["some_attr"] },
-  #         as: :json,
-  #         headers: { 'HTTP_AUTHORIZATION' => auth_token }
+  def test_org_disclosed_attributes
+    patch api_v1_registrant_contact_path(@contact_org.uuid), params: { disclosed_attributes: ["some_attr"] },
+          as: :json,
+          headers: { 'HTTP_AUTHORIZATION' => auth_token }
 
-  #   assert_response :bad_request
+    assert_response :bad_request
 
-  #   err_msg = "Legal person's data is visible by default and cannot be concealed. Please remove this parameter."
+    err_msg = "Request contains extra attributes: some_attr"
 
-  #   response_json = JSON.parse(response.body, symbolize_names: true)
-  #   response_msg = response_json[:errors][0][:disclosed_attributes][0]
+    response_json = JSON.parse(response.body, symbolize_names: true)
+    response_msg = response_json[:errors][0][:disclosed_attributes][0]
 
-  #   assert_equal err_msg, response_msg
-  # end
+    assert_equal err_msg, response_msg
+  end
 
   def test_unmanaged_contact_cannot_be_updated
     assert_equal 'US-1234', @user.registrant_ident