This notice explains how we, the Commodity Futures Trading Commission (“CFTC” or “Commission”), collect, use, maintain, and share your personally identifiable information (PII) when you visit CFTC.gov, CFTC Public Reporting Environment (PRE) located at https://publicreporting.cftc.gov/, Whistleblower.gov, or the CFTC’s Portal and when you interact with us through our various social media accounts. Your privacy is important to us, and we take our responsibility to protect your privacy seriously. To learn more about our privacy program and how we protect your privacy, please visit our privacy program page at cftc.gov/privacy.
- Personally Identifiable Information
Personally identifiable information (PII) is any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with information that is “linked” or “linkable” to a specific individual. Information that we can use alone to identify a specific individual typically includes identifiers such as a person’s full name, account number, or email address. Information that is “linked or linkable” to an individual is information that can, in combination with additional information from other sources, identify a specific individual. This includes information such as an employer, job title, age, and gender. PII is a necessarily broad term and includes identifiers such as an individual’s name, physical address, email address, IP address, phone number, and date of birth.
- Collection and Use
When you interact with us through CFTC.gov, PRE, Whistleblower.gov, or CFTC’s Portal, you may be required to share certain PII. For example, we will collect your email address when you subscribe to one of our newsfeeds or request materials, and we will collect your name and email address when you comment on a proposed rule. Other interactions like sending us a report of a suspicious activity or a complaint concerning a regulated person or entity will also entail sharing PII with us, such as your name, telephone number, and mailing address. In all instances, we strive to only collect the minimum amount of PII necessary for the interaction.
The PII that you share with us through CFTC.gov, PRE, Whistleblower.gov, and CFTC’s Portal will generally be used only for a purpose that is compatible with the purpose for which it was originally collected. For example, we will use your PII to send you information that you request, to investigate and resolve complaints that you report, and to communicate with you directly regarding a comment on a proposed rulemaking. In limited circumstances, we may also use your PII for a purpose that is legally required or otherwise necessary and proper, such as sending you an update when we update our privacy policies or notifying you of a data breach affecting your PII. When you share your PII with us through CFTC.gov, PRE, Whistleblower.gov, and CFTC’s Portal, you understand that you are consenting to the use of such information in accordance with this notice as well as for any additional purposes identified in an applicable Privacy Act statement.
In certain circumstances, information that you share is covered by the Privacy Act of 1974 (“Privacy Act”) (5 U.S.C. § 552a) in which case the form, field, or webpage through which you provide the information will include a “Privacy Act statement”. The Privacy Act statement includes additional information about the legal authority that permits the collection of the information, the principle purposes for which the information will be used, other parties with whom the information may be shared, and for what purpose. A Privacy Act statement supplements this notice and applies to only the information submitted to us though the specific form, field, or webpage.
- IP Addresses Collection and Use
When you visit CFTC.gov, PRE, Whistleblower.gov, or CFTC’s Portal we collect your full Internet Protocol (IP) address, browser type, and location information for internal governmental purposes related to information and system security.
Each computer or device that is connected to the Internet is assigned an IP address, a sequence of numbers that is used to identify the computer or device and to direct traffic across the Internet. The full IP address allows your computer or other device to communicate with CFTC.gov, PRE, Whistleblower.gov, CFTC’s Portal, and other websites on the Internet. Without the exchange of IP addresses between visitors and websites, communication over the Internet would not be possible. Therefore, we necessarily collect your IP address when you connect to CFTC.gov, PRE, Whistleblower.gov, and CFTC’s Portal so that we can communicate with your computer and exchange information.
Using your full IP address, which is linked to your computer or device, we are generally able to identify you by combining it with additional subscriber information maintained by your internet service provider. We will only use your IP address for this purpose in very limited circumstances. For example, we may use a visitor’s full IP address to trace the particular visitor’s identity when investigating a violation of our security policies or user agreements.
- Sharing and Disclosure
Internal Sharing. We allow limited access to PII that you share with us through CFTC.gov, PRE, Whistleblower.gov, and CFTC’s Portal to CFTC employees and contractors who have a need to access the information in the performance of their official duties. This includes employees and contractors responsible for maintaining CFTC.gov, PRE, Whistleblower.gov, and CFTC’s Portal as well as employees and contractors whose duties include responding to the particular complaint, feedback, or request received.
External Sharing. We disclose PII that you share with us through CFTC.gov, PRE, Whistleblower.gov, and CFTC’s Portal only as required by law and/or for purposes consistent with the Privacy Act. We may disclose information collected through CFTC.gov, PRE, Whistleblower.gov, and CFTC’s Portal with third parties such as law enforcement, foreign government authorities, and other federal or state government agencies in order to advance the purpose for which you provide the information and to meet our statutory obligations when carrying out our mission. In addition, when applicable we may disclose your PII in accordance with the Privacy Act and any routine uses published in the applicable system of records notice. All of our system of record notices are published in the Federal Register and are also available through our privacy program page at cftc.gov/privacy.
Information that you share through CFTC.gov, PRE, Whistleblower.gov, or CFTC’s Portal may be subject to disclosure under the Freedom of Information Act (“FOIA”). If you believe that information you share is exempt from disclosure under FOIA and you wish for us to consider a petition for confidential treatment, you may submit a petition according to the procedure set forth in our regulations at 17 C.F.R. § 145.9.
Commercial Marketing. We do not collect or share information for commercial marketing purposes. We do not disclose, give, sell, or transfer any PII that we collect from visitors to CFTC.gov, PRE, Whistleblower.gov, or CFTC’s Portal unless it is required by statute or for law enforcement purposes.
- Retention
We maintain and dispose of all PII that you share through CFTC.gov, PRE, Whistleblower.gov, or CFTC’s Portal according to federal records retention policies and National Archives and Records Administration requirements. These policies determine how long we keep the information that we collect. Different types of information may be subject to different General Records Schedules or Records Control Schedules depending on the type of information involved and the context in which it is shared and, therefore, may be kept for longer or shorter periods of time.
- CFTC’s Portal
We use CFTC’s Portal to protect your privacy and the confidentiality of information provided through certain forms and applications available through CFTC.gov and Whistleblower.gov (including but not limited to our Tips, Complaints, and Referrals (TCR) Form, Whistleblower Program Award Application, and Reporting to the CFTC Division of Enforcement (DOE) Form). CFTC’s Portal provides an added layer of security by ensuring that all of the information you submit is encrypted end-to-end. Information that we receive through the CFTC’s Portal is not retained by our website content manager and is directed to a secure environment hosted on our network that can only be accessed by staff with a need to access it in the performance of their official duties.
In addition to collecting information through forms and applications available on CFTC.gov and Whistleblower.gov, we use CFTC’s Portal to collect information from regulated entities. If you are a regulated entity that needs to gain access to CFTC’s Portal in order to report certain information required by the Commodity Exchange Act, 7 U.S.C. § 1, et seq. and our regulations promulgated thereunder, you will be required to create an account. In order for you to create an account we will collect PII such as your name, business email address, and phone number. We will use your name and business email to establish an identity associated with the account and we will use your phone number to contact you as a form of multi-factor authentication each time that you access CFTC’s Portal.
If you are interested in learning more about CFTC’s Portal and the information that we collect from our regulated entities, we recommend that visit our Frequently Asked Questions page. If your question is not answered on the Frequently Asked Questions page, we recommend that you please contact [email protected].
- Individuals Covered
You may be required to submit information about yourself and others through CFTC’s Portal if you represent an entity regulated by the CFTC with reporting, regulatory, or oversight obligations as set out in 17 C.F.R. §§ 17, 18, 19, 20, 39 and 151, are requesting exemptions on behalf of such entities, or wish to provide information relating to possible violations of the Commodity Exchange Act.
In certain circumstances, information that you submit is covered by the Privacy Act and the form will include a “Privacy Act statement”. The Privacy Act statement includes additional information about the legal authority that permits the collection of the information, the principle purposes for which the information will be used, other parties with whom the information may be shared, and for what purpose. A Privacy Act statement supplements this notice and applies to only the information submitted to us though the specific form.
- Information Collection
The types of PII that we collected through CFTC’s Portal include:
- Business or personal contact information, such as name, phone number, email, and mailing address;
- Username, password, security questions and answers;
- Title and employer, or the entity the individual represents;
- Ownership or control over reportable position; and,
- Other PII that is reportable to the CFTC under the Commodity Exchange Act, 7 U.S.C. § 1, et seq.
- Information Uses
The information that we collect through CFTC’s Portal is critical to fulfilling our mission under the Commodity Exchange Act, 7 U.S.C. § 1, et seq. We use the information when performing various mission-critical functions, such as monitoring the commodity futures and swaps market, conducting surveillance on both intra and inter-exchange and across side-by-side electronic trading platforms, and reviewing the activities of our registered entities to ensure that they are complying with the Commodity Exchange Act and our regulations promulgated thereunder.
- Your Responsibilities
You or the access administrators at your entity, if applicable, are responsible for employing adequate security measures to protect your username and password. You should immediately notify the CFTC in the event of: (i) any loss, theft, misuse or other unauthorized access, dissemination or disclosure of information contained in CFTC’s Portal; or (ii) attempts to penetrate the CFTC’s Portal or its security systems, or other malicious or accidental activity that could or reasonably could compromise confidential or personal information. If this occurs, you and/or your access administrator will need to coordinate with CFTC security and privacy personnel to investigate and remediate the security and/or privacy breach.
- External Websites
We provide links to other federal and non-federal websites on CFTC.gov, PRE, and Whistleblower.gov that we think you may find useful or that are necessary for the performance of agency functions. When you follow a link to a non-federal website, you will receive a notice informing you that you are leaving our website. While we provide links to other federal and non-federal websites throughout CFTC.gov, PRE, and Whistleblower.com, we do not have any control over their privacy policies and content. Once you leave CFTC.gov, PRE, or Whistleblower.gov and access another federal or non-federal website, we recommend that you review that website’s privacy policies to understand what information they collect from site visitors and how they protect your privacy.
- Social Media
We use social media platforms to engage in dialog that increases government transparency, promotes public participation, and encourages collaboration with the CFTC. CFTC currently maintains official CFTC accounts on the following social media websites: Facebook, Twitter, YouTube, LinkedIn, and Flickr. We do not control, moderate, or endorse the comments or opinions provided by visitors to these sites. These social media sites have their own privacy policies and we encourage you to read each policy for the social media platforms that you use.
The CFTC may also use social media sites in the context of an investigation or enforcement proceedings, such as suspected violations of the Commodity Exchange Act or a threat of violence against the CFTC. Information is generally collected with consent or from publicly-available sources; however, in limited enforcement situations, when other investigative avenues are limited, an approved CFTC staff member may appear as a member of the public by using a username and profile not affiliated with the CFTC to seek information about business opportunities that may violate the Commodity Exchange Act. Information collected for investigative purposes and to which the Privacy Act applies is maintained in the Commission’s investigatory or enforcement system of records and is used, disclosed, and retained in accordance with the applicable Privacy Act system of records notice. The Commission follows a structured process to minimize privacy risks and collects only the PII necessary and relevant to the investigation or enforcement action. Only CFTC users with a legitimate business “need to know” have access to information used for investigations and enforcement actions, and these users have received specific training concerning the sensitivity of this type of information. The CFTC may share information with foreign government officials, other federal officials, and state officials as stated in the system of records notices. See CFTC-10, Investigatory Records (Exempted) available at 76 FR 5973, and CFTC-16, Enforcement Case Files available at 76 FR 5973.
- Information Safeguards and Monitoring
CFTC.gov, PRE, Whistleblower.gov, and CFTC’s Portal are official United States Government systems which may be used only for authorized purposes. Unauthorized attempts to defeat or circumvent security features; to use the system for other than intended purposes; to deny service to authorized users; to access, obtain, alter, damage, or to destroy information; or otherwise to interfere with the operations of CFTC.gov, PRE, Whistleblower.gov, or CFTC’s Portal are strictly prohibited and punishable by law, including under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act of 1996. CFTC.gov, PRE, Whistleblower.gov, and CFTC’s Portal use software that can monitor network traffic and identify unauthorized attempts to upload or change information, or otherwise cause damage to the website. Use of these websites constitutes consent to such monitoring and auditing. Except for authorized law enforcement investigations, this monitoring and auditing is not used to identify individual users or their usage habits.
CFTC takes precautions to maintain the security, confidentiality, and integrity of the information collected and maintained on CFTC.gov, PRE, Whistleblower.gov, and CFTC’s Portal in accordance with the requirements of the E-Government Act of 2002 and guidelines issued by the National Institute for Science and Technology. Such measures include access controls designed to limit access to the information internally to the extent necessary to accomplish CFTC’s mission and complying with the Privacy Act with respect to internal and external disclosures. CFTC reviews and tests these security controls on an ongoing basis to ensure that PII is protected when it is processed, transmitted, and stored on any CFTC information technology system.
The CFTC’s information technology systems are protected by EINSTEIN cybersecurity capabilities, under the operational control of the U.S. Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT). Electronic communications with the CFTC may be scanned to look for network traffic indicating known or suspected malicious cyber activity, including malicious content or communications. Electronic communications may be collected or retained by US-CERT only if they are associated with known or suspected cyber threats. US-CERT will use the information collected through EINSTEIN to analyze the known or suspected cyber threat and help the CFTC and other agencies respond and better protect their computers and networks. For additional information about EINSTEIN capabilities, we recommend that you visit https://www.cisa.gov/einstein where you can review program-related Privacy Impact Assessments along with other information about the federal government’s cybersecurity activities.
- SMS Text Messaging
- Overview
The Commission has enabled SMS text messaging in its Microsoft 365 (M365) instance to permit CFTC staff to communicate via text with individuals and entities outside of the Commission.
- Information We Collect
If you engage with CFTC staff via SMS text messaging, the Commission will collect the following information from you:
Mobile Phone Number: Collected via your interaction with the Commission, either when you respond to a text from CFTC staff or when you initiate a text message to Commission staff at their M365 telephone number.
Message Content: The text of messages sent to and from CFTC staff.
Interaction Data: Timestamps of communications, delivery status, and technical data related to message transmission.
- How We Use Your Information
The information the Commission collects from you in the context of M365 SMS text messaging will be used primarily to communicate with you. We do not sell, rent, or share your phone number for third-party commercial marketing purposes.
Your information may be disclosed to third parties only as required by law or for other purposes permitted by the Privacy Act, such as pursuant to an applicable routine use in the relevant Privacy Act system of records notice. Depending on the nature of your communication with CFTC staff, relevant Privacy Act systems of records may include, for example, CFTC-10 investigatory Records, CFTC-16 Enforcement Case Files, CFTC-49 Whistleblower Records, CFTC-32 Office of Inspector General Investigative Files, or CFTC-2 Commission Correspondence Files.
You may opt out of receiving text messages from CFTC at any time. Just text 'STOP' to 2024185600. After you send the SMS message 'STOP' to us, we will send you an SMS message to confirm that you have been unsubscribed. After this, you will no longer receive SMS messages from us. Message frequency varies. Message and data rates may apply.”
- Data Security
Platform Security: This initiative uses Microsoft 365, which encrypts data in transit and at rest within a secure network of data centers.
Access Control: Access to SMS data is restricted to authorized CFTC employees and contractors with a specific "need to know" in the performance of their duties.
Communication Compliance: As part of our, and Microsoft’s, security protocols, message content may be audited to detect and prevent malicious activities, threats, or harassment.
- Data Retention
Your information will be retained in accordance with the applicable records retention schedule approved by the National Archives and Records Administration.
- Contact Information
We welcome any questions you have regarding our privacy policy or the use of your information. To learn more about the CFTC’s privacy program, please visit cftc.gov/privacy. Please direct your privacy questions to the CFTC Privacy Office:
By Mail: Commodity Futures Trading Commission
Attn. Privacy Office
1155 21st St., N.W.
Washington, D.C. 20581By Email: [email protected]