FTC Takes Action Against GoDaddy for Alleged Lax Data Security for Its Website Hosting Services

The Federal Trade Commission (FTC) has announced that GoDaddy, one of the world’s largest domain registrars and web hosting companies, must implement a stronger information security program as part of a settlement to address its inadequate data security practices. This action follows concerns that GoDaddy’s lack of safeguards left customers and visitors to their websites vulnerable to harm.

According to the FTC’s complaint, GoDaddy failed to take reasonable steps to protect its website-hosting services from security threats since at least 2018. The company allegedly misled customers about the strength of its data security measures, putting millions of small businesses and their visitors at risk.

The settlement will require GoDaddy to create a robust data security program, similar to measures implemented in other FTC cases, like the recent Marriott International settlement. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated:
“Millions of small businesses rely on web hosting providers like GoDaddy to keep their websites secure. Today’s action ensures companies like GoDaddy take the necessary steps to safeguard consumers around the world.”

GoDaddy’s security lapses, as detailed in the FTC’s complaint, included failing to:

• Keep track of assets and software updates,
• Properly assess risks to its hosting services,
• Log and monitor security-related events, and
• Separate its shared hosting services from less secure environments.

Between 2019 and 2022, these issues contributed to several major security breaches. Hackers gained unauthorized access to customers’ websites and data, exposing visitors to risks like being redirected to malicious websites. The FTC also found that GoDaddy made misleading claims in its marketing materials, suggesting that its security practices met international privacy standards like the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

Key Settlement Requirements

Under the proposed settlement, GoDaddy must:

1. Stop making false claims about its security practices or compliance with privacy standards.
2. Implement a comprehensive security program to protect its hosting services.
3. Hire an independent third-party assessor to evaluate its security program initially and every two years.

The FTC voted unanimously (5-0) to issue the complaint and accept the settlement, with Commissioner Melissa Holyoak partially dissenting on one aspect. The proposed agreement will be open for public comment for 30 days before the FTC decides whether to finalize it. Details on how to submit comments will be published in the Federal Register.

What Happens Next?
If the consent order becomes final, GoDaddy must follow its terms or face penalties of up to $51,744 per violation.

The FTC remains committed to promoting competition and protecting consumers. You can learn more about consumer rights at consumer.ftc.gov or report fraud and bad practices at ReportFraud.ftc.gov. Stay updated by following the FTC on social media or subscribing to their alerts.