The Federal Trade Commission (FTC) has finalized a settlement with GoDaddy regarding allegations that the web hosting service has weak security practices.
What happened
On May 23rd, 2025, the FTC finalized an agreement with GoDaddy over allegations that the service was misleading consumers about its data security practices. The FTC further argued that their poor cybersecurity led to multiple data breaches.
According to the Southern Maryland Chronicle, the order was unanimously approved by a 3-0 vote. Under the agreement, GoDaddy must make significant security upgrades and is prohibited from making false claims about its current cybersecurity status. “GoDaddy’s failure to use standard data security tools left customers vulnerable,” read an FTC statement on the issue.
As part of the agreement, GoDaddy did not admit any wrongdoing but agreed to the settlement to resolve the allegations.
New security measures include GoDaddy establishing a comprehensive information-security program to safeguard website-hosting services. GoDaddy must also use an independent third-party assessor to conduct regular reviews of its security program and compliance. The new security program must be implemented within 180 days. The third-party assessments must begin in 2026.
Flashback
Back in January of 2025, the FTC argued that GoDaddy failed to implement basic security measures, even when advertising “award-winning security.”
Some of GoDaddy’s biggest lapses included:
- No multi-factor authentication
- Insufficient threat monitoring
- Unsecured data connections, which directly enabled unauthorized access to customers’ websites and data.
- Falsely stating that GoDaddy was compliant with the EU-US and Swiss-US Privacy Shield Frameworks, which are international data protection standards.
As one of the world’s largest web hosting and domain registration companies, GoDaddy serves over 20 million customers. Multiple breaches took place over several years, impacting an undetermined number of websites and exposing personal and financial data. The exact impact is unknown.
What to watch
The FTC is beginning to focus more on data security in the tech industry. According to the Southern Maryland Chronicle, the FTC has pursued other, similar actions in 2025 to protect user data.
Consumers impacted by the GoDaddy breaches are unlikely to receive direct compensation following the agreement, which largely focuses on preventing future security incidents. Despite a direct impact on consumers, these cybersecurity updates may reduce future risks and promote further transparency in the tech industry.
FAQs
Will impacted consumers face any sort of compensation?
It’s currently unlikely that consumers will see compensation from this order. However, impacted consumers may be able to pursue separate legal action.
Does GoDaddy need to be HIPAA compliant?
HIPAA only applies to covered entities–entities that directly handle patient data. Since GoDaddy is not a covered entity, it is overseen by the Federal Trade Commission instead of the Department of Health and Human Services (HHS), which oversees healthcare organizations.
Abby Grifno
