The Federal Trade Commission (FTC) has finalized a settlement with GoDaddy regarding allegations that the web hosting service has weak security practices.
On May 23rd, 2025, the FTC finalized an agreement with GoDaddy over allegations that the service was misleading consumers about its data security practices. The FTC further argued that their poor cybersecurity led to multiple data breaches.
According to the Southern Maryland Chronicle, the order was unanimously approved by a 3-0 vote. Under the agreement, GoDaddy must make significant security upgrades and is prohibited from making false claims about its current cybersecurity status. “GoDaddy’s failure to use standard data security tools left customers vulnerable,” read an FTC statement on the issue.
As part of the agreement, GoDaddy did not admit any wrongdoing but agreed to the settlement to resolve the allegations.
New security measures include GoDaddy establishing a comprehensive information-security program to safeguard website-hosting services. GoDaddy must also use an independent third-party assessor to conduct regular reviews of its security program and compliance. The new security program must be implemented within 180 days. The third-party assessments must begin in 2026.
Back in January of 2025, the FTC argued that GoDaddy failed to implement basic security measures, even when advertising “award-winning security.”
Some of GoDaddy’s biggest lapses included:
As one of the world’s largest web hosting and domain registration companies, GoDaddy serves over 20 million customers. Multiple breaches took place over several years, impacting an undetermined number of websites and exposing personal and financial data. The exact impact is unknown.
The FTC is beginning to focus more on data security in the tech industry. According to the Southern Maryland Chronicle, the FTC has pursued other, similar actions in 2025 to protect user data.
Consumers impacted by the GoDaddy breaches are unlikely to receive direct compensation following the agreement, which largely focuses on preventing future security incidents. Despite a direct impact on consumers, these cybersecurity updates may reduce future risks and promote further transparency in the tech industry.
It’s currently unlikely that consumers will see compensation from this order. However, impacted consumers may be able to pursue separate legal action.
HIPAA only applies to covered entities–entities that directly handle patient data. Since GoDaddy is not a covered entity, it is overseen by the Federal Trade Commission instead of the Department of Health and Human Services (HHS), which oversees healthcare organizations.