PRIVACY NOTICE
This notice explains how we, the Commodity Futures Trading Commission (“CFTC” or “Commission”),
collect, use, maintain, and share your personally identifiable information (PII) when you visit CFTC.gov,
Whistleblower.gov, or the CFTC’s Portal and when you interact with us through our various social
media accounts. Your privacy is important to us, and we take our responsibility to protect your
privacy seriously. To learn more about our privacy program and how we protect your privacy, please visit our
privacy program page at cftc.gov/privacy.
PERSONALLY IDENTIFIABLE INFORMATION
- Collection and Use
- IP Addresses Collection and Use
- Sharing and Disclosure
- Retention
WEB MEASUREMENT AND CUSTOMIZATION
- Single Session and Multi-Session Cookies
- Google Analytics Collection
- Google Analytics Use
- Google Tag Manager
- New Relic
- Cookie Opt-Out
CFTC’s PORTAL
- Individuals Covered
- Information Collection
- Information Uses
- Your Responsibilities
EXTERNAL WEBSITES
SOCIAL MEDIA
INFORMATION SAFEGUARDS AND MONITORING
CONTACT INFORMATION
PERSONALLY IDENTIFIABLE INFORMATION
Personally identifiable information (PII) is any information that can be used to distinguish or trace an individual’s
identity, either alone or when combined with information that is “linked” or “linkable” to a specific individual.
Information that we can use alone to identify a specific individual typically includes identifiers such as a person’s
full name, account number, or email address. Information that is “linked or linkable” to an individual is information
that can, in combination with additional information from other sources, identify a specific individual.
This includes information such as an employer, job title, age, and gender. PII is a necessarily broad term and includes
identifiers such as an individual’s name, physical address, email address, IP address, phone number, and date of birth.
Collection and Use
When you interact with us through CFTC.gov, Whistleblower.gov, or CFTC’s Portal, you may be required to share certain PII.
For example, we will collect your email address when you subscribe to one of our newsfeeds or request materials, and we will
collect your name and email address when you comment on a proposed rule. Other interactions like sending us a report of a
suspicious activity or a complaint concerning a regulated person or entity will also entail sharing PII with us, such as your
name, telephone number, and mailing address. In all instances, we strive to only collect the minimum amount of PII necessary
for the interaction.
The PII that you share with us through CFTC.gov, Whistleblower.gov, and CFTC’s Portal will generally be used only for a purpose
that is compatible with the purpose for which it was originally collected. For example, we will use your PII to send you
information that you request, to investigate and resolve complaints that you report, and to communicate with you directly
regarding a comment on a proposed rulemaking. In limited circumstances, we may also use your PII for a purpose that is legally
required or otherwise necessary and proper, such as sending you an update when we update our privacy policies or notifying you
of a data breach affecting your PII. When you share your PII with us through CFTC.gov, Whistleblower.gov, and CFTC’s Portal,
you understand that you are consenting to the use of such information in accordance with this notice as well as for any additional
purposes identified in an applicable Privacy Act statement.
In certain circumstances, information that you share is covered by the Privacy Act of 1974 (“Privacy Act”) (5 U.S.C. § 552a) in
which case the form, field, or webpage through which you provide the information will include a “Privacy Act statement”.
The Privacy Act statement includes additional information about the legal authority that permits the collection of the information,
the principle purposes for which the information will be used, other parties with whom the information may be shared, and for
what purpose. A Privacy Act statement supplements this notice and applies to only the information submitted to us though the
specific form, field, or webpage.
IP Addresses Collection and Use
When you visit CFTC.gov, Whistleblower.gov, or CFTC’s Portal we collect your full Internet Protocol (IP) address, browser type,
and location information for internal governmental purposes related to information and system security.
Each computer or device that is connected to the Internet is assigned an IP address, a sequence of numbers that is used to
identify the computer or device and to direct traffic across the Internet. The full IP address allows your computer or
other device to communicate with CFTC.gov, Whistleblower.gov, CFTC’s Portal, and other websites on the Internet.
Without the exchange of IP addresses between visitors and websites, communication over the Internet would not be possible.
Therefore, we necessarily collect your IP address when you connect to CFTC.gov, Whistleblower.gov, and CFTC’s Portal
so that we can communicate with your computer and exchange information.
Using your full IP address, which is linked to your computer or device, we are generally able to identify you by combining
it with additional subscriber information maintained by your internet service provider. We will only use your IP address
for this purpose in very limited circumstances. For example, we may use a visitor’s full IP address to trace the particular
visitor’s identity when investigating a violation of our security policies or user agreements.
Sharing and Disclosure
Internal Sharing. We allow limited access to PII that you share with us through CFTC.gov, Whistleblower.gov, and CFTC’s
Portal to CFTC employees and contractors who have a need to access the information in the performance of their official duties.
This includes employees and contractors responsible for maintaining CFTC.gov, Whistleblower.gov, and CFTC’s Portal as well as
employees and contractors whose duties include responding to the particular complaint, feedback, or request received.
External Sharing. We disclose PII that you share with us through CFTC.gov, Whistleblower.gov, and CFTC’s Portal only as
required by law and/or for purposes consistent with the Privacy Act. We may disclose information collected through CFTC.gov,
Whistleblower.gov, and CFTC’s Portal with third parties such as law enforcement, foreign government authorities, and other
federal or state government agencies in order to advance the purpose for which you provide the information and to meet our
statutory obligations when carrying out our mission. In addition, when applicable we may disclose your PII in accordance with
the Privacy Act and any routine uses published in the applicable system of records notice. All of our system of record notices
are published in the Federal Register and are also available through our
privacy program page at cftc.gov/privacy.
Information that you share through CFTC.gov, Whistleblower.gov, or CFTC’s Portal may be subject to disclosure under the Freedom
of Information Act (“FOIA”). If you believe that information you share is exempt from disclosure under FOIA and you wish for us
to consider a petition for confidential treatment, you may submit a petition according to the procedure set forth in our
regulations at 17 C.F.R. § 145.9.
Commercial Marketing. We do not collect or share information for commercial marketing purposes. We do not disclose, give,
sell, or transfer any PII that we collect from visitors to CFTC.gov, Whistleblower.gov, or CFTC’s Portal unless it is required
by statute or for law enforcement purposes.
Retention
We maintain and dispose of all PII that you share through CFTC.gov, Whistleblower.gov, or CFTC’s Portal according to federal records
retention policies and National Archives and Records Administration requirements. These policies determine how long we keep the
information that we collect. Different types of information may be subject to different General Records Schedules or Records
Control Schedules depending on the type of information involved and the context in which it is shared and, therefore, may be
kept for longer or shorter periods of time.
WEB MEASUREMENT AND CUSTOMIZATION
Single Session and Multi-Session Cookies
A cookie is a small line of text that we store in your web browser or on your device to facilitate communication between your computer
or device and our websites. We generally use single session cookies (not multi-session cookies) on CFTC.gov and Whistleblower.gov to
collect information from visitors; however, for some videos that are visible on our websites or available on YouTube, a persistent cookie
may be set by a third-party provider. To learn more about online tracking and cookies, we recommend reviewing the Federal Trade Commission’s
resources on understanding cookies.
When you visit our websites, your computer or device may store one of the following types of cookies:
-
Single session. These cookies remember your online interactions within a single session or visit. These cookies expire when you close
your browser and are then automatically deleted from your computer. Any identifier is used only within that session, is not later reused, and is
deleted immediately after the session ends. Our use of these technologies on CFTC.gov and Whistleblower.gov are referred to as a “Tier 1” use
according to Office of Management and Budget Memorandum M-10-22,Guidance for Online Use of Web Measurement and Customization Technologies.
-
Multi-session without personally identifiable information. These cookies remember your browsing activities on CFTC.gov and
Whistleblower.gov across multiple visits. This technology encompasses any use of multi-session web measurement and customization
technologies when no PII is collected. These cookies collect only a portion of your Internet Protocol address. This partial IP address
is not PII because it cannot be linked with other information to identify you. The use of this multi-session technology is referred to
as a “Tier 2” use as that term is described in OMB M-10-22.
-
Multi-session with personally identifiable information. These cookies remember the way you interact with a website across multiple
visits (when you leave the site and later come back), and can collect PII about you or allow a website to recognize you (by combining it with
other information provided by you). This use is referred to as a “Tier 3” use as that term is
described in OMB M-10-22.
To protect your privacy and the confidentiality of information provided through certain forms and applications available through CFTC.gov and Whistleblower.gov
(including but not limited to our Tips, Complaints, and Referrals (TCR) Form, Whistleblower Program Award Application,
and Reporting to the CFTC Division of Enforcement (DOE) Form), we do not use
single session or multi-session cookies on such forms and applications. This information is collected using CFTC’s Portal, an electronic system operated by the
CFTC as an interface between it and individuals and entities submitting information to the CFTC. We include additional information about CFTC’s Portal below.
Google Analytics Collection
When you visit CFTC.gov and Whistleblower.gov, we use Google Analytics, a web measurement service, to collect, combine, and summarize information about your use of these websites. Google Analytics collects and analyzes
information regarding your browsing activities using single session cookies. Google Analytics automatically “anonymizes” (i.e., masks the information so it cannot be identified with you) any PII by using a partial IP address,
and hence Google does not receive any PII from your visit to CFTC.gov or Whistleblower.gov. Google automatically receives the anonymized data and immediately combines your data with other CFTC.gov and Whistleblower.gov
visitors’ data for analysis. Neither the CFTC nor Google ever have access to information regarding the specifics of your browsing activities on any of our sites. The cookies expire after you leave CFTC.gov and Whistleblower.gov
and they are automatically deleted from your computer or device. This is a “Tier 1” use according to OMB M-10-22.
If you navigate to CFTC.gov or Whistleblower.gov solely to read or download information, Google Analytics collects and stores only the following information in order to deliver aggregate data to CFTC:
- The name of your internet domain (for example, “xcompany.com” if you use a private Internet access account, or “yourschool.edu” if you are connecting from a university’s domain);
- The partial IP address assigned to the computer or device you use to access the Internet on a particular occasion before you visited CFTC.gov or Whistleblower.gov;
- Your internet connection speed;
- The date and time when you accessed CFTC.gov or Whistleblower.gov;
- The pages you visited and files you downloaded from CFTC.gov or Whistleblower.gov;
- The IP address of a website that may have referred you (i.e., linked you) to CFTC.gov or Whistleblower.gov; and,
-
Technical information about the computer or device you used to access CFTC.gov or Whistleblower.gov
(e.g., operating system, screen resolution and color, Flash/Java support, and language).
To protect your privacy and the confidentiality of information provided through CFTC’s Portal, we do not use
Google Analytics to collect, combine, or summarize visitor interactions with CFTC’s Portal.
Google Analytics Use
We use aggregate information provided by Google Analytics to manage and improve CFTC.gov and Whistleblower.gov content.
As detailed above, Google does not collect or maintain PII from our visitors and the summaries produced by Google do not
contain PII. The summaries contain statistical information that we use to assess what information is of most interest to
visitors, to identify system performance or problem areas, and to improve your experience when visiting our sites.
CFTC maintains and destroys records relating to website analytics for CFTC.gov and Whistleblower.gov according to
federal records retention policies and National Archives and Records Administration requirements. For instructions
on opting out of cookies, please see Google’s Privacy Policy and How to Opt Out of Google Cookies.
For more information on Google’s retention practices, please see Google Privacy and Terms.
Google Tag Manager
We use Google Tag Manager to manage JavaScript and HTML tags used for tracking and analytics on websites. Tags are small code elements that,
among other things, are used to measure traffic and visitor behavior on CFTC.gov. The tag manager tool itself (which deploys the tags) is
a cookie-less domain and does not collect any PII. The tool instructs other tags to fire, and these other tags may collect data.
This data is not accessed by Google Tag Manager. Please note that if you have opted-out at the domain or cookie levels, you will stay opted-out
for all of the tracking tags deployed using Google Tag Manager.
New Relic
We also use the New Relic Browser to collect, report, and analyze visitor interactions at CFTC.gov and Whistleblower.gov. We use this information
to help identify performance issues with these websites as well any application errors that might occur during a visitor’s browsing session.
The analytics reports that we receive from New Relic are available only to members of the CFTC communications and web teams, and other
designated federal staff and contractors who need this information in the performance of their official duties. New Relic Browser uses
session cookies that expire at the end of a user’s browsing session.
This is a “Tier 1” use according to OMB M-10-22.
To protect your privacy and the confidentiality of the information that you provide through CFTC’s Portal, we do not use New Relic Browser to collect, report, or
analyze visitor interactions with CFTC’s Portal.
Cookie Opt-Out
You may opt out of having cookies stored on your browser by following the instructions at USA.gov,
Web Measurement and Customization Opt-out.
(USA.gov is the official portal of the U.S. Government). If you follow these instructions to disable cookies on your web browser and delete existing CFTC cookies
from your computer, CFTC.gov and Whistleblower.gov will treat your computer and devices as anonymous and will not recognize them when you return to CFTC.gov or
Whistleblower.gov. If you’re interested in learning more about how to opt out of Google cookies on your computers and devices, we recommend that you visit
Google’s Privacy Policy and How to Opt Out of Google Cookies for additional information.
CFTC’s PORTAL
We use CFTC’s Portal to protect your privacy and the confidentiality of information provided through certain forms and applications
available through CFTC.gov and Whistleblower.gov (including but not limited to our Tips, Complaints, and Referrals (TCR) Form, Whistleblower Program Award Application, and
Reporting to the CFTC Division of Enforcement (DOE) Form).
CFTC’s Portal provides an added layer of security by ensuring that all of the information you submit is encrypted end-to-end. Information that we receive through
the CFTC’s Portal is not retained by our website content manager and is directed to a secure environment hosted on our network that can only be accessed by staff
with a need to access it in the performance of their official duties.
In addition to collecting information through forms and applications available on CFTC.gov and Whistleblower.gov, we use CFTC’s Portal to collect information
from regulated entities. If you are a regulated entity that needs to gain access to CFTC’s Portal in order to report certain information required by the
Commodity Exchange Act, 7 U.S.C. § 1, et seq. and our regulations promulgated thereunder, you will be required to create an account. In order for you to
create an account we will collect PII such as your name, business email address, and phone number. We will use your name and business email to establish
an identity associated with the account and we will use your phone number to contact you as a form of multi-factor authentication each time that you access CFTC’s Portal.
If you are interested in learning more about CFTC’s Portal and the information that we collect from our regulated entities, we recommend that you visit
our Frequently Asked Questions page. If your question is not answered on the
Frequently Asked Questions page, we recommend that you please contact TechSupport@cftc.gov.
Individuals Covered
You may be required to submit information about yourself and others through CFTC’s Portal if you represent an entity regulated by the CFTC with reporting,
regulatory, or oversight obligations as set out in 17 C.F.R. §§ 17, 18, 19, 20, 39 and 151, are requesting exemptions on behalf of such entities, or
wish to provide information relating to possible violations of the Commodity Exchange Act.
In certain circumstances, information that you submit is covered by the Privacy Act and the form will include a “Privacy Act statement”. The Privacy Act statement
includes additional information about the legal authority that permits the collection of the information, the principle purposes for which the information will be
used, other parties with whom the information may be shared, and for what purpose. A Privacy Act statement supplements this notice and applies to only the information
submitted to us though the specific form.
Information Collection
The types of PII that we collected through CFTC’s Portal include:
- Business or personal contact information, such as name, phone number, email, and mailing address;
- Username, password, security questions and answers;
- Title and employer, or the entity the individual represents;
- Ownership or control over reportable position; and,
- Other PII that is reportable to the CFTC under the Commodity Exchange Act, 7 U.S.C. § 1, et seq.
Information Uses
The information that we collect through CFTC’s Portal is critical to fulfilling our mission under the
Commodity Exchange Act, 7 U.S.C. § 1, et seq. We use the information when performing various mission-critical
functions, such as monitoring the commodity futures and swaps market, conducting surveillance on both intra
and inter-exchange and across side-by-side electronic trading platforms, and reviewing the activities of our
registered entities to ensure that they are complying with the Commodity Exchange Act and our regulations promulgated thereunder.
Your Responsibilities
You or the access administrators at your entity, if applicable, are responsible for employing adequate security measures to
protect your username and password. You should immediately notify the CFTC in the event of: (i) any loss, theft, misuse or
other unauthorized access, dissemination or disclosure of information contained in CFTC’s Portal; or (ii) attempts to penetrate
the CFTC’s Portal or its security systems, or other malicious or accidental activity that could or reasonably could compromise
confidential or personal information. If this occurs, you and/or your access administrator will need to coordinate with CFTC
security and privacy personnel to investigate and remediate the security and/or privacy breach.
EXTERNAL WEBSITES
We provide links to other federal and non-federal websites on CFTC.gov and Whistleblower.gov that we think you may find useful
or that are necessary for the performance of agency functions. When you follow a link to a non-federal website, you will receive
a notice informing you that you are leaving our website. While we provide links to other federal and non-federal websites throughout
CFTC.gov and Whistleblower.com, we do not have any control over their privacy policies and content. Once you leave CFTC.gov or
Whistleblower.gov and access another federal or non-federal website, we recommend that you review that website’s privacy policies
to understand what information they collect from site visitors and how they protect your privacy.
SOCIAL MEDIA
We use social media platforms to engage in dialog that increases government transparency, promotes public participation, and encourages
collaboration with the CFTC. CFTC currently maintains official CFTC accounts on the following social media websites: Facebook, Twitter,
YouTube, LinkedIn, and Flickr. We do not control, moderate, or endorse the comments or opinions provided by visitors to these sites.
These social media sites have their own privacy policies and we encourage you to read each policy for the social media platforms that you use.
The CFTC may also use social media sites in the context of an investigation or enforcement proceedings, such as suspected violations of the
Commodity Exchange Act or a threat of violence against the CFTC. Information is generally collected with consent or from publicly-available
sources; however, in limited enforcement situations, when other investigative avenues are limited, an approved CFTC staff member may appear
as a member of the public by using a username and profile not affiliated with the CFTC to seek information about business opportunities that
may violate the Commodity Exchange Act. Information collected for investigative purposes and to which the Privacy Act applies is maintained
in the Commission’s investigatory or enforcement system of records and is used, disclosed, and retained in accordance with the applicable
Privacy Act system of records notice. The Commission follows a structured process to minimize privacy risks and collects only the PII necessary
and relevant to the investigation or enforcement action. Only CFTC users with a legitimate business “need to know” have access to information used
for investigations and enforcement actions, and these users have received specific training concerning the sensitivity of this type of information.
The CFTC may share information with foreign government officials, other federal officials, and state officials as stated in the system of
records notices. See CFTC-10,
Investigatory Records (Exempted) available at 76 FR 5973, and CFTC-16,
Enforcement Case Files available at 76 FR 5973.
INFORMATION SAFEGUARDS AND MONITORING
CFTC.gov, Whistleblower.gov, and CFTC’s Portal are official United States Government systems which may be used only for authorized purposes.
Unauthorized attempts to defeat or circumvent security features; to use the system for other than intended purposes; to deny service to authorized
users; to access, obtain, alter, damage, or to destroy information; or otherwise to interfere with the operations of CFTC.gov, Whistleblower.gov, or
CFTC’s Portal are strictly prohibited and punishable by law, including under the Computer Fraud and Abuse Act of 1986 and the National Information
Infrastructure Protection Act of 1996. CFTC.gov, Whistleblower.gov, and CFTC’s Portal use software that can monitor network traffic and identify
unauthorized attempts to upload or change information, or otherwise cause damage to the website. Use of these websites constitutes consent to such
monitoring and auditing. Except for authorized law enforcement investigations, this monitoring and auditing is not used to identify individual users
or their usage habits.
CFTC takes precautions to maintain the security, confidentiality, and integrity of the information collected and maintained on CFTC.gov, Whistleblower.gov,
and CFTC’s Portal in accordance with the requirements of the E-Government Act of 2002 and guidelines issued by the National Institute for Science and Technology.
Such measures include access controls designed to limit access to the information internally to the extent necessary to accomplish CFTC’s mission and complying with
the Privacy Act with respect to internal and external disclosures. CFTC reviews and tests these security controls on an ongoing basis to ensure that PII is protected
when it is processed, transmitted, and stored on any CFTC information technology system.
The CFTC’s information technology systems are protected by EINSTEIN cybersecurity capabilities, under the operational control of the U.S. Department of Homeland Security’s
United States Computer Emergency Readiness Team (US-CERT). Electronic communications with the CFTC may be scanned to look for network traffic indicating known or suspected
malicious cyber activity, including malicious content or communications. Electronic communications may be collected or retained by US-CERT only if they are associated with
known or suspected cyber threats. US-CERT will use the information collected through EINSTEIN to analyze the known or suspected cyber threat and help the CFTC and other agencies
respond and better protect their computers and networks. For additional information about EINSTEIN capabilities, we recommend that you visit https://www.cisa.gov/einstein
where you can review program-related Privacy Impact Assessments along with other information about the federal government’s cybersecurity activities.
CONTACT INFORMATION
We welcome any questions you have regarding our privacy policy or the use of your information. To learn more about the CFTC’s privacy program,
please visit cftc.gov/privacy.
Please direct your privacy questions to the CFTC Privacy Office:
By Mail: Commodity Futures Trading Commission
Attn. Privacy Office
1155 21st St., N.W.
Washington, D.C. 20581
By Email: privacy@cftc.gov
