90 FR 29 pgs. 9547-9549 - GoDaddy Inc.; Analysis of Proposed Consent Order To Aid Public Comment
Type: NOTICEVolume: 90Number: 29Pages: 9547 - 9549
Pages: 9547, 9548, 9549Docket number: [File No. 202 3133]
FR document: [FR Doc. 2025-02575 Filed 2-12-25; 8:45 am]
Agency: Federal Trade Commission
Official PDF Version: PDF Version
[top]
FEDERAL TRADE COMMISSION
[File No. 202 3133]
GoDaddy Inc.; Analysis of Proposed Consent Order To Aid Public Comment
AGENCY:
Federal Trade Commission.
ACTION:
Proposed consent agreement; request for comment.
SUMMARY:
The consent agreement in this matter settles alleged violations of Federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order-embodied in the consent agreement-that would settle these allegations.
DATES:
Comments must be received on or before March 17, 2025.
ADDRESSES:
Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write "GoDaddy; File No. 202 3133" on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, please mail your comment to: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 (Annex H), Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT:
Jarad Brown (202-326-2927) and David Walko (202-326-2880), Attorneys, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 400 7th St. SW, Washington, DC 20024.
SUPPLEMENTARY INFORMATION:
Pursuant to section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule §?2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of 30 days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained at https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before March 17, 2025. Write "GoDaddy; File No. 202 3133" on your comment. Your comment-including your name and your State-will be placed on the public record of this proceeding, including, to the extent practicable, on the https://www.regulations.gov website.
Because of heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https://www.regulations.gov website. If you prefer to file your comment on paper, write "GoDaddy; File No. 202 3133" on your comment and on the envelope, and send it via overnight service to: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 (Annex H), Washington, DC 20580.
Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other State identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any "trade secret or any commercial or financial information which . . . is privileged or confidential"-as provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule §?4.10(a)(2), 16 CFR 4.10(a)(2)-including competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.
[top] Comments containing material for which confidential treatment is
Visit the FTC website at https://www.ftc.gov to read this document and the news release describing the proposed settlement. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments it receives on or before March 17, 2025. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission ("Commission") has accepted, subject to final approval, an agreement containing a consent order from GoDaddy Inc. and GoDaddy.com , LLC ("Respondents"). The proposed consent order ("Proposed Order") has been placed on the public record for 30 days for receipt of public comments from interested persons. Comments received during this period will become part of the public record. After 30 days, the Commission will again review the agreement, along with the comments received, and will decide whether it should make final the Proposed Order or withdraw from the agreement and take appropriate action.
Respondent GoDaddy Inc. is a Delaware corporation with its headquarters in Arizona. Respondent GoDaddy.com , LLC is a Delaware limited liability company with its headquarters in Arizona and is a wholly owned subsidiary of GoDaddy Inc. Respondents provide website hosting services to individuals and businesses of all sizes, including small businesses.
Since at least 2015, the Commission alleges, Respondents have marketed their services as a secure choice for customers to host their websites, touting their commitment to data security. Respondents have also stated that they comply with the Privacy Shield Framework principles, which include a promise to take reasonable and appropriate measures to protect the security of personal information. As alleged in the complaint, in fact, Respondents' data security practices were not reasonable for their size and complexity. GoDaddy did not have reasonable visibility into vulnerabilities and threats affecting its hosting services. Since 2018, GoDaddy has failed to implement standard security tools and practices to protect its hosting services and to monitor them for security threats. In particular, GoDaddy allegedly failed to: (a) inventory and manage assets; (b) manage software updates; (c) assess risks to its website hosting services; (d) use multi-factor authentication; (e) log security-related events; (f) monitor for security threats, including by failing to use software that could actively detect threats from its many logs, and failing to use file integrity monitoring; (g) segment its network; and (h) secure connections to services that provide access to consumer data. In light of these failures, the Commission challenged GoDaddy's representations about security and adhering to the Privacy Shield Framework principles as false or misleading. As a result of Respondents' data security failures, as alleged in the complaint, they experienced several incidents of unauthorized access to their hosting service between 2019 and December 2022, in which threat actors repeatedly gained access to customers' websites and data, causing harm to Respondents' customers and putting them and visitors to the customers' websites at risk of further harm.
The Commission's proposed three-count complaint alleges that Respondents engaged in unfair and deceptive practices in violation of Section 5(a) of the FTC Act by (1) unfairly failing to employ reasonable and appropriate data security measures, (2) deceptively representing that they used reasonable and appropriate data security measures, and (3) deceptively representing that they adhere to the EU-U.S. and/or Swiss-U.S. Privacy Shield Principles. With respect to the first count, the proposed complaint alleges that Respondents failed to employ reasonable and appropriate measures to protect their hosting environment from unauthorized access. Respondents' failure to employ such reasonable and appropriate measures has caused or is likely to cause substantial injury to consumers in the form of several data breaches between 2019 and 2022, theft of Respondents' customers' confidential information stored in Respondents' hosting services, and alteration of Respondents' customers' websites. These injuries are not outweighed by countervailing benefits to consumers or competition and are not reasonably avoidable by consumers themselves.
Summary of Proposed Order With Respondents
The Proposed Order contains injunctive relief designed to prevent Respondents from engaging in the same or similar acts or practices in the future. Provision I prohibits Respondents from misrepresenting, expressly or by implication: (1) the extent to which they protect the security, confidentiality, integrity, or availability of their hosting services; (2) the extent to which they use reasonable or appropriate measures to protect certain hosting services from unauthorized access; (3) the extent to which they utilize any security technology or technique, including monitoring, to protect certain hosting services; (4) the extent to which they protect the security, confidentiality, integrity, or availability of consumers' personal information; and (5) the extent to which Respondents are a member of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including the E.U.-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.
Provision II requires that Respondents establish, implement, and document a comprehensive information security program. The program must include specific security measures tailored to Respondents' previous data security shortcomings alleged in the complaint. Provisions III-VI require that Respondents obtain initial and biennial information security assessments by an independent, third-party professional for 20 years (Provision III), cooperate with the independent assessor (Provision IV), provide the Commission with annual certifications of compliance with the Order from a senior executive officer from each Respondent (Provision V), and submit reports to the Commission if they suffer additional data incidents (Provision VI).
[top] Provisions VII-X are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring Respondents to
The purpose of this analysis is to facilitate public comment on the Proposed Order, and it is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify the Proposed Order's terms in any way.
By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2025-02575 Filed 2-12-25; 8:45 am]
BILLING CODE 6750-01-P