This notice explains how we, the Commodity Futures Trading Commission (“CFTC” or “Commission”), collect, use, maintain, and share your personally identifiable information (PII) when you visit CFTC.gov, Whistleblower.gov, or the CFTC’s Portal and when you interact with us through our various social media accounts. Your privacy is important to us, and we take our responsibility to protect your privacy seriously. To learn more about our privacy program and how we protect your privacy, please visit our privacy program page at cftc.gov/privacy.
PERSONALLY IDENTIFIABLE INFORMATION
WEB MEASUREMENT AND CUSTOMIZATION
INFORMATION SAFEGUARDS AND MONITORING
PERSONALLY IDENTIFIABLE INFORMATION
Personally identifiable information (PII) is any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with information that is “linked” or “linkable” to a specific individual. Information that we can use alone to identify a specific individual typically includes identifiers such as a person’s full name, account number, or email address. Information that is “linked or linkable” to an individual is information that can, in combination with additional information from other sources, identify a specific individual. This includes information such as an employer, job title, age, and gender. PII is a necessarily broad term and includes identifiers such as an individual’s name, physical address, email address, IP address, phone number, and date of birth.
Collection and Use
When you interact with us through CFTC.gov, Whistleblower.gov, or CFTC’s Portal, you may be required to share certain PII. For example, we will collect your email address when you subscribe to one of our newsfeeds or request materials, and we will collect your name and email address when you comment on a proposed rule. Other interactions like sending us a report of a suspicious activity or a complaint concerning a regulated person or entity will also entail sharing PII with us, such as your name, telephone number, and mailing address. In all instances, we strive to only collect the minimum amount of PII necessary for the interaction.
The PII that you share with us through CFTC.gov, Whistleblower.gov, and CFTC’s Portal will generally be used only for a purpose that is compatible with the purpose for which it was originally collected. For example, we will use your PII to send you information that you request, to investigate and resolve complaints that you report, and to communicate with you directly regarding a comment on a proposed rulemaking. In limited circumstances, we may also use your PII for a purpose that is legally required or otherwise necessary and proper, such as sending you an update when we update our privacy policies or notifying you of a data breach affecting your PII. When you share your PII with us through CFTC.gov, Whistleblower.gov, and CFTC’s Portal, you understand that you are consenting to the use of such information in accordance with this notice as well as for any additional purposes identified in an applicable Privacy Act statement.
In certain circumstances, information that you share is covered by the Privacy Act of 1974 (“Privacy Act”) (5 U.S.C. § 552a) in which case the form, field, or webpage through which you provide the information will include a “Privacy Act statement”. The Privacy Act statement includes additional information about the legal authority that permits the collection of the information, the principle purposes for which the information will be used, other parties with whom the information may be shared, and for what purpose. A Privacy Act statement supplements this notice and applies to only the information submitted to us though the specific form, field, or webpage.
IP Addresses Collection and Use
When you visit CFTC.gov, Whistleblower.gov, or CFTC’s Portal we collect your full Internet Protocol (IP) address, browser type, and location information for internal governmental purposes related to information and system security.
Each computer or device that is connected to the Internet is assigned an IP address, a sequence of numbers that is used to identify the computer or device and to direct traffic across the Internet. The full IP address allows your computer or other device to communicate with CFTC.gov, Whistleblower.gov, CFTC’s Portal, and other websites on the Internet. Without the exchange of IP addresses between visitors and websites, communication over the Internet would not be possible. Therefore, we necessarily collect your IP address when you connect to CFTC.gov, Whistleblower.gov, and CFTC’s Portal so that we can communicate with your computer and exchange information.
Using your full IP address, which is linked to your computer or device, we are generally able to identify you by combining it with additional subscriber information maintained by your internet service provider. We will only use your IP address for this purpose in very limited circumstances. For example, we may use a visitor’s full IP address to trace the particular visitor’s identity when investigating a violation of our security policies or user agreements.
Sharing and Disclosure
Internal Sharing. We allow limited access to PII that you share with us through CFTC.gov, Whistleblower.gov, and CFTC’s Portal to CFTC employees and contractors who have a need to access the information in the performance of their official duties. This includes employees and contractors responsible for maintaining CFTC.gov, Whistleblower.gov, and CFTC’s Portal as well as employees and contractors whose duties include responding to the particular complaint, feedback, or request received.
External Sharing. We disclose PII that you share with us through CFTC.gov, Whistleblower.gov, and CFTC’s Portal only as required by law and/or for purposes consistent with the Privacy Act. We may disclose information collected through CFTC.gov, Whistleblower.gov, and CFTC’s Portal with third parties such as law enforcement, foreign government authorities, and other federal or state government agencies in order to advance the purpose for which you provide the information and to meet our statutory obligations when carrying out our mission. In addition, when applicable we may disclose your PII in accordance with the Privacy Act and any routine uses published in the applicable system of records notice. All of our system of record notices are published in the Federal Register and are also available through our privacy program page at cftc.gov/privacy.
Information that you share through CFTC.gov, Whistleblower.gov, or CFTC’s Portal may be subject to disclosure under the Freedom of Information Act (“FOIA”). If you believe that information you share is exempt from disclosure under FOIA and you wish for us to consider a petition for confidential treatment, you may submit a petition according to the procedure set forth in our regulations at 17 C.F.R. § 145.9.
Commercial Marketing. We do not collect or share information for commercial marketing purposes. We do not disclose, give, sell, or transfer any PII that we collect from visitors to CFTC.gov, Whistleblower.gov, or CFTC’s Portal unless it is required by statute or for law enforcement purposes.
We maintain and dispose of all PII that you share through CFTC.gov, Whistleblower.gov, or CFTC’s Portal according to federal records retention policies and National Archives and Records Administration requirements. These policies determine how long we keep the information that we collect. Different types of information may be subject to different General Records Schedules or Records Control Schedules depending on the type of information involved and the context in which it is shared and, therefore, may be kept for longer or shorter periods of time.
WEB MEASUREMENT AND CUSTOMIZATION
Single Session and Multi-Session Cookies
A cookie is a small line of text that we store in your web browser or on your device to facilitate communication between your computer or device and our websites. We generally use single session cookies (not multi-session cookies) on CFTC.gov and Whistleblower.gov to collect information from visitors; however, for some videos that are visible on our websites or available on YouTube, a persistent cookie may be set by a third-party provider. To learn more about online tracking and cookies, we recommend reviewing the Federal Trade Commission’s resources on understanding cookies. When you visit our websites, your computer or device may store one of the following types of cookies:
To protect your privacy and the confidentiality of information provided through certain forms and applications available through CFTC.gov and Whistleblower.gov (including but not limited to our Tips, Complaints, and Referrals (TCR) Form, Whistleblower Program Award Application, and Reporting to the CFTC Division of Enforcement (DOE) Form), we do not use single session or multi-session cookies on such forms and applications. This information is collected using CFTC’s Portal, an electronic system operated by the CFTC as an interface between it and individuals and entities submitting information to the CFTC. We include additional information about CFTC’s Portal below.
Google Analytics Collection
When you visit CFTC.gov and Whistleblower.gov, we use Google Analytics, a web measurement service, to collect, combine, and summarize information about your use of these websites. Google Analytics collects and analyzes information regarding your browsing activities using single session cookies. Google Analytics automatically “anonymizes” (i.e., masks the information so it cannot be identified with you) any PII by using a partial IP address, and hence Google does not receive any PII from your visit to CFTC.gov or Whistleblower.gov. Google automatically receives the anonymized data and immediately combines your data with other CFTC.gov and Whistleblower.gov visitors’ data for analysis. Neither the CFTC nor Google ever have access to information regarding the specifics of your browsing activities on any of our sites. The cookies expire after you leave CFTC.gov and Whistleblower.gov and they are automatically deleted from your computer or device. This is a “Tier 1” use according to OMB M-10-22.
If you navigate to CFTC.gov or Whistleblower.gov solely to read or download information, Google Analytics collects and stores only the following information in order to deliver aggregate data to CFTC:
To protect your privacy and the confidentiality of information provided through CFTC’s Portal, we do not use Google Analytics to collect, combine, or summarize visitor interactions with CFTC’s Portal.
Google Analytics Use
Google Tag Manager
We also use the New Relic Browser to collect, report, and analyze visitor interactions at CFTC.gov and Whistleblower.gov. We use this information to help identify performance issues with these websites as well any application errors that might occur during a visitor’s browsing session. The analytics reports that we receive from New Relic are available only to members of the CFTC communications and web teams, and other designated federal staff and contractors who need this information in the performance of their official duties. New Relic Browser uses session cookies that expire at the end of a user’s browsing session. This is a “Tier 1” use according to OMB M-10-22. To protect your privacy and the confidentiality of the information that you provide through CFTC’s Portal, we do not use New Relic Browser to collect, report, or analyze visitor interactions with CFTC’s Portal.
We use CFTC’s Portal to protect your privacy and the confidentiality of information provided through certain forms and applications available through CFTC.gov and Whistleblower.gov (including but not limited to our Tips, Complaints, and Referrals (TCR) Form, Whistleblower Program Award Application, and Reporting to the CFTC Division of Enforcement (DOE) Form). CFTC’s Portal provides an added layer of security by ensuring that all of the information you submit is encrypted end-to-end. Information that we receive through the CFTC’s Portal is not retained by our website content manager and is directed to a secure environment hosted on our network that can only be accessed by staff with a need to access it in the performance of their official duties.
In addition to collecting information through forms and applications available on CFTC.gov and Whistleblower.gov, we use CFTC’s Portal to collect information from regulated entities. If you are a regulated entity that needs to gain access to CFTC’s Portal in order to report certain information required by the Commodity Exchange Act, 7 U.S.C. § 1, et seq. and our regulations promulgated thereunder, you will be required to create an account. In order for you to create an account we will collect PII such as your name, business email address, and phone number. We will use your name and business email to establish an identity associated with the account and we will use your phone number to contact you as a form of multi-factor authentication each time that you access CFTC’s Portal.
If you are interested in learning more about CFTC’s Portal and the information that we collect from our regulated entities, we recommend that you visit our Frequently Asked Questions page. If your question is not answered on the Frequently Asked Questions page, we recommend that you please contact TechSupport@cftc.gov.
You may be required to submit information about yourself and others through CFTC’s Portal if you represent an entity regulated by the CFTC with reporting, regulatory, or oversight obligations as set out in 17 C.F.R. §§ 17, 18, 19, 20, 39 and 151, are requesting exemptions on behalf of such entities, or wish to provide information relating to possible violations of the Commodity Exchange Act.
In certain circumstances, information that you submit is covered by the Privacy Act and the form will include a “Privacy Act statement”. The Privacy Act statement includes additional information about the legal authority that permits the collection of the information, the principle purposes for which the information will be used, other parties with whom the information may be shared, and for what purpose. A Privacy Act statement supplements this notice and applies to only the information submitted to us though the specific form.
The types of PII that we collected through CFTC’s Portal include:
The information that we collect through CFTC’s Portal is critical to fulfilling our mission under the Commodity Exchange Act, 7 U.S.C. § 1, et seq. We use the information when performing various mission-critical functions, such as monitoring the commodity futures and swaps market, conducting surveillance on both intra and inter-exchange and across side-by-side electronic trading platforms, and reviewing the activities of our registered entities to ensure that they are complying with the Commodity Exchange Act and our regulations promulgated thereunder.
You or the access administrators at your entity, if applicable, are responsible for employing adequate security measures to protect your username and password. You should immediately notify the CFTC in the event of: (i) any loss, theft, misuse or other unauthorized access, dissemination or disclosure of information contained in CFTC’s Portal; or (ii) attempts to penetrate the CFTC’s Portal or its security systems, or other malicious or accidental activity that could or reasonably could compromise confidential or personal information. If this occurs, you and/or your access administrator will need to coordinate with CFTC security and privacy personnel to investigate and remediate the security and/or privacy breach.
We provide links to other federal and non-federal websites on CFTC.gov and Whistleblower.gov that we think you may find useful or that are necessary for the performance of agency functions. When you follow a link to a non-federal website, you will receive a notice informing you that you are leaving our website. While we provide links to other federal and non-federal websites throughout CFTC.gov and Whistleblower.com, we do not have any control over their privacy policies and content. Once you leave CFTC.gov or Whistleblower.gov and access another federal or non-federal website, we recommend that you review that website’s privacy policies to understand what information they collect from site visitors and how they protect your privacy.
We use social media platforms to engage in dialog that increases government transparency, promotes public participation, and encourages collaboration with the CFTC. CFTC currently maintains official CFTC accounts on the following social media websites: Facebook, Twitter, YouTube, LinkedIn, and Flickr. We do not control, moderate, or endorse the comments or opinions provided by visitors to these sites. These social media sites have their own privacy policies and we encourage you to read each policy for the social media platforms that you use.
The CFTC may also use social media sites in the context of an investigation or enforcement proceedings, such as suspected violations of the Commodity Exchange Act or a threat of violence against the CFTC. Information is generally collected with consent or from publicly-available sources; however, in limited enforcement situations, when other investigative avenues are limited, an approved CFTC staff member may appear as a member of the public by using a username and profile not affiliated with the CFTC to seek information about business opportunities that may violate the Commodity Exchange Act. Information collected for investigative purposes and to which the Privacy Act applies is maintained in the Commission’s investigatory or enforcement system of records and is used, disclosed, and retained in accordance with the applicable Privacy Act system of records notice. The Commission follows a structured process to minimize privacy risks and collects only the PII necessary and relevant to the investigation or enforcement action. Only CFTC users with a legitimate business “need to know” have access to information used for investigations and enforcement actions, and these users have received specific training concerning the sensitivity of this type of information. The CFTC may share information with foreign government officials, other federal officials, and state officials as stated in the system of records notices. See CFTC-10, Investigatory Records (Exempted) available at 76 FR 5973, and CFTC-16, Enforcement Case Files available at 76 FR 5973.
INFORMATION SAFEGUARDS AND MONITORING
CFTC.gov, Whistleblower.gov, and CFTC’s Portal are official United States Government systems which may be used only for authorized purposes. Unauthorized attempts to defeat or circumvent security features; to use the system for other than intended purposes; to deny service to authorized users; to access, obtain, alter, damage, or to destroy information; or otherwise to interfere with the operations of CFTC.gov, Whistleblower.gov, or CFTC’s Portal are strictly prohibited and punishable by law, including under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act of 1996. CFTC.gov, Whistleblower.gov, and CFTC’s Portal use software that can monitor network traffic and identify unauthorized attempts to upload or change information, or otherwise cause damage to the website. Use of these websites constitutes consent to such monitoring and auditing. Except for authorized law enforcement investigations, this monitoring and auditing is not used to identify individual users or their usage habits.
CFTC takes precautions to maintain the security, confidentiality, and integrity of the information collected and maintained on CFTC.gov, Whistleblower.gov, and CFTC’s Portal in accordance with the requirements of the E-Government Act of 2002 and guidelines issued by the National Institute for Science and Technology. Such measures include access controls designed to limit access to the information internally to the extent necessary to accomplish CFTC’s mission and complying with the Privacy Act with respect to internal and external disclosures. CFTC reviews and tests these security controls on an ongoing basis to ensure that PII is protected when it is processed, transmitted, and stored on any CFTC information technology system.
The CFTC’s information technology systems are protected by EINSTEIN cybersecurity capabilities, under the operational control of the U.S. Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT). Electronic communications with the CFTC may be scanned to look for network traffic indicating known or suspected malicious cyber activity, including malicious content or communications. Electronic communications may be collected or retained by US-CERT only if they are associated with known or suspected cyber threats. US-CERT will use the information collected through EINSTEIN to analyze the known or suspected cyber threat and help the CFTC and other agencies respond and better protect their computers and networks. For additional information about EINSTEIN capabilities, we recommend that you visit https://www.cisa.gov/einstein where you can review program-related Privacy Impact Assessments along with other information about the federal government’s cybersecurity activities.
Please direct your privacy questions to the CFTC Privacy Office: