WASHINGTON — The Federal Trade Commission finalized a settlement with GoDaddy on May 23, 2025, addressing allegations that the web hosting provider misled consumers about its data security practices, leading to multiple data breaches. The order, approved unanimously by a 3-0 vote, mandates significant security upgrades and prohibits GoDaddy from making false claims about its protections.
In January 2025, the FTC alleged that GoDaddy failed to implement basic security measures despite advertising “award-winning security.” The agency cited the company’s lack of multi-factor authentication, inadequate threat monitoring, and unsecured data connections, which enabled unauthorized access to customers’ websites and data in several breaches. Additionally, the FTC claimed GoDaddy deceived users by falsely stating compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, international data protection standards.
“GoDaddy’s failure to use standard data security tools left customers vulnerable,” an FTC spokesperson said in a statement. The breaches exposed sensitive information, undermining consumer trust in the company’s hosting services, which support millions of websites globally.
The finalized order imposes strict requirements on GoDaddy. The company is barred from misrepresenting its security practices or compliance with government, self-regulatory, or standard-setting privacy programs. It must establish a comprehensive information-security program to safeguard website-hosting services, including measures to protect data confidentiality and integrity. Additionally, GoDaddy is required to engage an independent third-party assessor to conduct regular reviews of its security program, ensuring ongoing compliance.
The FTC received three public comments on the proposed order, with responses sent to commenters before finalization. The Commission’s vote was unanimous, though Commissioner Melissa Holyoak dissented on Count III of the complaint, which related to specific allegations about the Privacy Shield Frameworks, citing concerns over the scope of the charge.
GoDaddy, based in Scottsdale, Arizona, is one of the world’s largest web hosting and domain registration companies, serving over 20 million customers. The breaches, which occurred over several years, affected an undisclosed number of websites and exposed personal and financial data, though exact figures remain unreported. The company did not admit wrongdoing but agreed to the settlement to resolve the allegations.
The order reflects the FTC’s increasing focus on data security in the tech industry, where lax practices can lead to significant consumer harm. In 2024, the agency pursued similar actions against companies failing to protect user data, signaling a broader crackdown on misleading security claims. GoDaddy’s new security program must be implemented within 180 days, with third-party assessments beginning in 2026.
Consumers affected by the breaches may not receive direct compensation under the order, which focuses on preventive measures. However, the mandated security improvements aim to reduce future risks. The FTC’s action underscores the importance of transparency in corporate security claims, particularly for companies handling sensitive consumer data.