Washington, D.C. — So, the Federal Trade Commission (FTC) wrapped up a deal with GoDaddy on May 23, 2025, to address claims that the web hosting giant was a little shady with its data security practices, resulting in a bunch of data breaches. The settlement, passed unanimously with a 3-0 vote, requires GoDaddy to level up its security game and stop fibbing about how safe they are.
Back in January 2025, the FTC called out GoDaddy for talking a big game about their “award-winning security” while not actually bothering to, you know, secure their customers’ stuff properly. The agency pointed to GoDaddy’s lack of basic security features like multi-factor authentication, poor threat monitoring, and unsecured data connections as the reasons behind the breaches. On top of that, the FTC accused GoDaddy of lying about following international data protection standards like the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
“GoDaddy dropped the ball big time by not using standard data security tools, leaving their customers wide open,” said an FTC spokesperson in a statement. The breaches exposed sensitive info and shook consumer trust in GoDaddy’s hosting services, which are behind millions of websites all over the world.
The final order lays down the law for GoDaddy. They can’t lie about their security practices or claim to be in compliance with any privacy programs. They have to set up a top-notch information-security program to protect their website-hosting services and customer data. Plus, GoDaddy has to hire an outside assessor to keep tabs on their security measures regularly.
There were three public comments on the proposed order, but the Commission addressed those before making their decision. While the vote was unanimous, Commissioner Melissa Holyoak had some issues with one specific part of the complaint related to the Privacy Shield Frameworks.
GoDaddy, headquartered in Scottsdale, Arizona, is a major player in web hosting and domain registration, serving a whopping 20 million customers. The breaches happened over a few years and impacted who knows how many websites, exposing personal and financial data. GoDaddy didn’t admit to doing anything wrong, but they agreed to settle the allegations.
The FTC is really cracking down on data security in the tech industry, and GoDaddy is just the latest target. The company has 180 days to get their act together with the new security program, and outside assessments will start in 2026.
The order doesn’t mention compensating affected customers, but the focus is on preventing future breaches. The improvements GoDaddy has to make should lower the risk of something like this happening again. This whole situation really highlights the importance of companies being straight up about how they handle our data.
