GoDaddy Inc.; Analysis of Proposed Consent Order To Aid Public Comment

Issuing agencies

Abstract

The consent agreement in this matter settles alleged violations of Federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 29 (Thursday, February 13, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 29 (Thursday, February 13, 2025)]
[Notices]
[Pages 9547-9549]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-02575]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 202 3133]


GoDaddy Inc.; Analysis of Proposed Consent Order To Aid Public 
Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of Federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis of Proposed Consent Order to Aid 
Public Comment describes both the allegations in the complaint and the 
terms of the consent order--embodied in the consent agreement--that 
would settle these allegations.

DATES: Comments must be received on or before March 17, 2025.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``GoDaddy; File 
No. 202 3133'' on your comment and file your comment online at <a href="https://www.regulations.gov">https://www.regulations.gov</a> by following the instructions on the web-based 
form. If you prefer to file your comment on paper, please mail your 
comment to: Federal Trade Commission, Office of the Secretary, 600 
Pennsylvania Avenue NW, Mail Stop H-144 (Annex H), Washington, DC 
20580.

FOR FURTHER INFORMATION CONTACT: Jarad Brown (202-326-2927) and David 
Walko (202-326-2880), Attorneys, Division of Privacy and Identity 
Protection, Bureau of Consumer Protection, Federal Trade Commission, 
400 7th St. SW, Washington, DC 20024.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule Sec.  2.34, 16 CFR 
2.34, notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of 30 days. The following 
Analysis to Aid Public Comment describes the terms of the consent 
agreement and the allegations in the complaint. An electronic copy of 
the full text of the consent agreement package can be obtained at 
<a href="https://www.ftc.gov/news-events/commission-actions">https://www.ftc.gov/news-events/commission-actions</a>.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before March 17, 2025. 
Write ``GoDaddy; File No. 202 3133'' on your comment. Your comment--
including your name and your State--will be placed on the public record 
of this proceeding, including, to the extent practicable, on the 
<a href="https://www.regulations.gov">https://www.regulations.gov</a> website.
    Because of heightened security screening, postal mail addressed to 
the Commission will be subject to delay. We strongly encourage you to 
submit your comments online through the <a href="https://www.regulations.gov">https://www.regulations.gov</a> 
website. If you prefer to file your comment on paper, write ``GoDaddy; 
File No. 202 3133'' on your comment and on the envelope, and send it 
via overnight service to: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 (Annex H), 
Washington, DC 20580.
    Because your comment will be placed on the publicly accessible 
website at <a href="https://www.regulations.gov">https://www.regulations.gov</a>, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other State 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule Sec.  
4.10(a)(2), 16 CFR 4.10(a)(2)--including competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is

[[Page 9548]]

requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule Sec.  4.9(c). In 
particular, the written request for confidential treatment that 
accompanies the comment must include the factual and legal basis for 
the request and must identify the specific portions of the comment to 
be withheld from the public record. See FTC Rule Sec.  4.9(c). Your 
comment will be kept confidential only if the General Counsel grants 
your request in accordance with the law and the public interest. Once 
your comment has been posted on the <a href="https://www.regulations.gov">https://www.regulations.gov</a> 
website--as legally required by FTC Rule Sec.  4.9(b)--we cannot redact 
or remove your comment from that website, unless you submit a 
confidentiality request that meets the requirements for such treatment 
under FTC Rule Sec.  4.9(c), and the General Counsel grants that 
request.
    Visit the FTC website at <a href="https://www.ftc.gov">https://www.ftc.gov</a> to read this document 
and the news release describing the proposed settlement. The FTC Act 
and other laws the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
it receives on or before March 17, 2025. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see <a href="https://www.ftc.gov/site-information/privacy-policy">https://www.ftc.gov/site-information/privacy-policy</a>.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (``Commission'') has accepted, subject 
to final approval, an agreement containing a consent order from GoDaddy 
Inc. and <a href="http://GoDaddy.com">GoDaddy.com</a>, LLC (``Respondents''). The proposed consent order 
(``Proposed Order'') has been placed on the public record for 30 days 
for receipt of public comments from interested persons. Comments 
received during this period will become part of the public record. 
After 30 days, the Commission will again review the agreement, along 
with the comments received, and will decide whether it should make 
final the Proposed Order or withdraw from the agreement and take 
appropriate action.
    Respondent GoDaddy Inc. is a Delaware corporation with its 
headquarters in Arizona. Respondent <a href="http://GoDaddy.com">GoDaddy.com</a>, LLC is a Delaware 
limited liability company with its headquarters in Arizona and is a 
wholly owned subsidiary of GoDaddy Inc. Respondents provide website 
hosting services to individuals and businesses of all sizes, including 
small businesses.
    Since at least 2015, the Commission alleges, Respondents have 
marketed their services as a secure choice for customers to host their 
websites, touting their commitment to data security. Respondents have 
also stated that they comply with the Privacy Shield Framework 
principles, which include a promise to take reasonable and appropriate 
measures to protect the security of personal information. As alleged in 
the complaint, in fact, Respondents' data security practices were not 
reasonable for their size and complexity. GoDaddy did not have 
reasonable visibility into vulnerabilities and threats affecting its 
hosting services. Since 2018, GoDaddy has failed to implement standard 
security tools and practices to protect its hosting services and to 
monitor them for security threats. In particular, GoDaddy allegedly 
failed to: (a) inventory and manage assets; (b) manage software 
updates; (c) assess risks to its website hosting services; (d) use 
multi-factor authentication; (e) log security-related events; (f) 
monitor for security threats, including by failing to use software that 
could actively detect threats from its many logs, and failing to use 
file integrity monitoring; (g) segment its network; and (h) secure 
connections to services that provide access to consumer data. In light 
of these failures, the Commission challenged GoDaddy's representations 
about security and adhering to the Privacy Shield Framework principles 
as false or misleading. As a result of Respondents' data security 
failures, as alleged in the complaint, they experienced several 
incidents of unauthorized access to their hosting service between 2019 
and December 2022, in which threat actors repeatedly gained access to 
customers' websites and data, causing harm to Respondents' customers 
and putting them and visitors to the customers' websites at risk of 
further harm.
    The Commission's proposed three-count complaint alleges that 
Respondents engaged in unfair and deceptive practices in violation of 
Section 5(a) of the FTC Act by (1) unfairly failing to employ 
reasonable and appropriate data security measures, (2) deceptively 
representing that they used reasonable and appropriate data security 
measures, and (3) deceptively representing that they adhere to the EU-
U.S. and/or Swiss-U.S. Privacy Shield Principles. With respect to the 
first count, the proposed complaint alleges that Respondents failed to 
employ reasonable and appropriate measures to protect their hosting 
environment from unauthorized access. Respondents' failure to employ 
such reasonable and appropriate measures has caused or is likely to 
cause substantial injury to consumers in the form of several data 
breaches between 2019 and 2022, theft of Respondents' customers' 
confidential information stored in Respondents' hosting services, and 
alteration of Respondents' customers' websites. These injuries are not 
outweighed by countervailing benefits to consumers or competition and 
are not reasonably avoidable by consumers themselves.

Summary of Proposed Order With Respondents

    The Proposed Order contains injunctive relief designed to prevent 
Respondents from engaging in the same or similar acts or practices in 
the future. Provision I prohibits Respondents from misrepresenting, 
expressly or by implication: (1) the extent to which they protect the 
security, confidentiality, integrity, or availability of their hosting 
services; (2) the extent to which they use reasonable or appropriate 
measures to protect certain hosting services from unauthorized access; 
(3) the extent to which they utilize any security technology or 
technique, including monitoring, to protect certain hosting services; 
(4) the extent to which they protect the security, confidentiality, 
integrity, or availability of consumers' personal information; and (5) 
the extent to which Respondents are a member of, adhere to, comply 
with, are certified by, are endorsed by, or otherwise participate in 
any privacy or security program sponsored by a government or any self-
regulatory or standard-setting organization, including the E.U.-U.S. 
Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.
    Provision II requires that Respondents establish, implement, and 
document a comprehensive information security program. The program must 
include specific security measures tailored to Respondents' previous 
data security shortcomings alleged in the complaint. Provisions III-VI 
require that Respondents obtain initial and biennial information 
security assessments by an independent, third-party professional for 20 
years (Provision III), cooperate with the independent assessor 
(Provision IV), provide the Commission with annual certifications of 
compliance with the Order from a senior executive officer from each 
Respondent (Provision V), and submit reports to the Commission if they 
suffer additional data incidents (Provision VI).
    Provisions VII-X are reporting and compliance provisions, which 
include recordkeeping requirements and provisions requiring Respondents 
to

[[Page 9549]]

provide information or documents necessary for the Commission to 
monitor compliance. Provision XI states that the Proposed Order will 
remain in effect for 20 years, with certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
Proposed Order, and it is not intended to constitute an official 
interpretation of the complaint or Proposed Order, or to modify the 
Proposed Order's terms in any way.

    By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2025-02575 Filed 2-12-25; 8:45 am]
BILLING CODE 6750-01-P


</pre></body>
</html>