FTC Finalizes Order with GoDaddy over Data Security Failures

The Federal Trade Commission has finalized an order with GoDaddy settling allegations that the webhosting provider misled consumers by failing to implement data security protections, which led to several data breaches.

The FTC alleged in January 2025 that despite claiming it provides “award-winning security,”  GoDaddy failed to implement standard data security tools and practices to protect customers’ websites and data. For example, it failed to use multi-factor authentication, monitor for security threats, and secure connections to its consumer data. These failures led to several data breaches that allowed bad actors to gain unauthorized access to customers’ websites and data. The FTC also alleged that the company deceived users about its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

Under the order finalized by the Commission, GoDaddy is:

• Prohibited from making misrepresentations about its security and the extent to which it complies with any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization;
• Required to establish and implement a comprehensive information-security program that protects the security, confidentiality, and integrity of its website-hosting services; and
• Required to hire an independent third-party assessor to conduct reviews of its information-security program.

After receiving three comments, the Commission voted 3-0 to finalize the order and send responses to the commenters. Commissioner Melissa Holyoak concurred, but dissented on Count III in the complaint.