Appendix 6. Privacy Policy for the CFTC Web Site

Web Site Privacy Policy

The privacy of visitors to our website is of the utmost importance to the CFTC. You are not required to give us any personal information to visit our website. While we automatically collect certain data for statistical purposes, that data does not include your name, mailing or email address.

Information Collected and Stored Automatically

If you visit the CFTC website to read or download information, such as press releases or publications, we will collect and store certain technical information about your visit. We do not collect your name, email, mailing address or similar identifying information. We only collect the following:

  • On your end, the name of the domain (the machine or website) from which you access the Internet (for example, aol.com if you are connecting from an America Online account) and/or the name and Internet Protocol (IP) address of the server you are using to access the CFTC website (the IP address is a series of numbers that identifies a server or computer connected to the Internet);
  • The name and version of the web browser used to access a CFTC web page (for example, Microsoft Explorer or Firefox);
  • On our side, the name and IP address of the CFTC server that received and logged the request;
  • The date and time the request was received, and
  • The information you are accessing (for example, which page or image you choose to read or download).

We use this information to measure the number of visitors to the different sections of our website, assess system performance and to help us make the website more useful to our visitors. In the event of a computer security incident, such data may be manually analyzed to allow computer security specialists to identify Internet service providers and, in extreme cases, to attempt to identify the specific computer and individual involved in an attack on the CFTC's website. The information below on "Intrusion Detection Monitoring" further explains this.

Cookies

The information being collected automatically, as explained above, is collected through the use of "session cookies" set through Google Analytics. "Session cookies" are small bits of text placed on a user's hard drive for the duration of a web session, i.e., for as long as your browser is accessing the CFTC website at one time. As soon as you close the CFTC website, the cookie expires.

The CFTC does not use "persistent cookies," which are small bits of text saved on a user's hard drive in order to identify that user, or information about that user, the next time the user logs on the a web site. However, for some videos that are visible on http://www.cftc.gov or available on YouTube, a "persistent cookie" may be set by the third party providers when you click to play the video.

If You Choose to Send Us Personal Information

You may choose to send us information which personally identifies you. For example, you may complete an on-line form, send a complaint concerning a regulated person or entity, report suspicious activity, send a comment or input on a proposed rule, or email the CFTC through the website. Such information is used to respond to your request and to help us get you the information you have requested. We also use the information for the specific purposes identified on each form or on the web page requesting information.

For example, if you send us a comment letter on a proposed rule, that letter becomes part of the CFTC's comment file and generally is available to the public. The comments help the CFTC and other members of the public evaluate proposed Commission actions. If you register on http://www.cftc.gov and submit large trader data through the Position Entry for Reportable Traders application (PERT Online), this data will be used by the Commission for market oversight, e.g., oversight of trader activities and enforcement of speculative position limits.

You may submit other forms to us, such as Freedom of Information Act requests or requests for correction of information. Such forms may contain information that CFTC staff use to track and respond to your request. Information you provide to the CFTC Division of Enforcement on our Report Suspicious Activities or Information form may be shared with other law enforcement or other Federal agencies when appropriate.

Sharing of Your Information

If you choose to provide personal information, you are consenting to the CFTC's use of that information and permitting that it be shared with CFTC employees and contractors to conduct official business. Such employees and contractors are subject to confidentiality restrictions to protect your personal information. The information may also be shared by the CFTC with third parties to advance the purpose for which you provide the information, including law enforcement and other federal or state government agencies. Your information will only be used to perform official business for which it was collected. For example:

  1. If you report suspicious activity that suggests a violation of the CEA, the information you have provided may be shared with law enforcement and other federal or state agencies. In this situation, the primary use of your PII would be to enable the government to contact you in the event we have questions regarding the information you have reported.
  2. If you populate a Tip, Complaint or Referral (TCR) form to be considered as a whistleblower under the Dodd-Frank Act, the information you have provided may be disclosed to the Whistleblower Award Determination Panel, law enforcement, and other federal or state agencies. In this situation, the primary use of your PII would be to:
    1. Evaluate the merit of an award;
    2. Allow for the payment of monetary awards to eligible whistleblowers; and/or
    3. Provide anti-retaliation protections for whistleblowers that share information with or assist the CFTC, as limited by the CEA.

Under certain circumstances, the CFTC may be required by law to disclose information you submit to other authorities for official purposes, for example, to respond to a Congressional inquiry or subpoena.

When you choose to send e-mail to the CFTC, you are consenting to the CFTC using the information provided therein, including PII, in accordance with this notice, unless you expressly state in the email your objection to any use.

Your personal information will be protected from misuse while in the possession of the CFTC. Management, operational and technical controls are in place with the goal of ensuring the confidentiality, availability, and integrity of the PII. If an incident or breach is suspected or confirmed involving sensitive personal information, contact will be made with all affected parties in a timely manner. The CFTC will then work with individuals to ensure swift and appropriate action is taken to mitigate risks.

Linking to Other Web sites

We provide links to Federal and non-Federal websites if we think they may be useful to our visitors or necessary for the performance of agency functions. This includes commercial websites such as Facebook, Twitter, Flickr and YouTube.

When you follow a link to a non-CFTC website, you will first be directed to a web page that reminds you that you are leaving http://www.cftc.gov and that the website you are about to visit is not endorsed by the CFTC. These other websites are not within the CFTC's control. The CFTC does not guarantee the accuracy or completeness of any information on these sites. Be aware that the privacy protection provided to you on http://www.cftc.gov may not be available at the external link. Once you link to another site, you are subject to the policies of that site.

Use of Social Media Sites

The CFTC uses Twitter, Facebook, Flickr, YouTube and other Social Media Sites as additional ways to provide information to the public and fulfill its mission of protecting market participants and the commodity and futures markets from fraud, manipulation and abusive practices. Flickr and YouTube allow the CFTC to post pictures and videos that may be of interest to the public. Facebook allows the Commission to reach out to a different audience, those who may not seek out http://www.cftc.gov. Twitter allows us to post microblogs known as "tweets," i.e., text-based posts of up to 140 characters. The tweets allow our Office of Public Affairs to quickly notify reporters, the public and other "followers" of a new press release, upcoming event or other information of interest.

Using these media, the CFTC will only collect, maintain, or disseminate personally identifiable information (PII) found on Social Media Sites (SMS) in two situations.

One, for Public Affairs purposes, comments about the CFTC on SMS pages may be reviewed internally, and for newsworthy posts, included in internally-circulated daily news clips with the author's name and affiliated organization if publicly-available. Two, for enforcement purposes, when necessary for an investigation or enforcement proceedings (such as suspected violations of the CEA or a threat of violence against the Commission), information obtained from the Internet may be collected and preserved. The information collected is offered to the Commission with consent or is from publicly-available sources on the Internet, except that in limited enforcement situations, when other investigative avenues are limited, a specifically approved Commission staff member may act as a member of the public by using a username and profile not affiliated with the CFTC to seek information about business opportunities that may violate the CEA, simulating the day-to-day customer experience.

Information collected for investigative purposes and to which the Privacy Act of 1974 applies is maintained in the Commission's investigatory or enforcement system of records. See CFTC System of Record Notice (SORN) CFTC-10, Investigatory Records (Exempted), and CFTC-16, Enforcement Case Files, at Federal Register, 76 Fed. Reg. 5973-6002 (2011), as may be amended. To minimize privacy risks in this situation, a structured process is followed, very limited PII collected, only CFTC Internet users with a legitimate business "need to know" have access to this information, CFTC users have received specific training concerning the sensitivity of this type of information, and the CFTC provides public notice through this privacy policy, a Privacy Impact Assessment, and when feasible, a privacy notice on certain specific social media sites. See, e.g., Internet and Social Media Use Privacy Impact Assessment for details.

Security

Personal information collected and maintained by the CFTC are protected from unauthorized access and misuse through comprehensive administrative, technical and physical security measures. Administrative measures include a privacy governance structure, mandatory annual privacy and security training for all CFTC employees, internal policies and controls over data handling practices, and regular auditing of systems. Technical security measures within CFTC include restrictions on computer access to authorized individuals, required use of strong passwords that are frequently changed, use of encryption for certain data types and transfers, and regular review of security procedures and best practices to enhance security. Physical measures include restrictions on building access to authorized individuals only and maintaining records in lockable offices and filing cabinets.

Intrusion Detection Monitoring

The CFTC uses software programs to monitor this website for security purposes to ensure it remains available to all users and to protect information in the system. By accessing this website, you are expressly consenting to these monitoring activities. Unauthorized attempts to defeat or circumvent security features; to use the system for other than intended purposes; to deny service to authorized users; to access, obtain, alter, damage, or to destroy information; or otherwise to interfere with the system or its operation are prohibited. Evidence of such acts may be disclosed to law enforcement authorities and result in criminal prosecution under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act of 1996, 18 USC 1030, or other applicable criminal laws. Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits.

Other Privacy Information: Systems of Records Notices and Privacy Impact Assessments

The CFTC regularly publishes information in the Federal Register on its systems of records maintained under the Privacy Act of 1974. See CFTC Privacy Act Systems of Records Notices.

CFTC Privacy Impact Assessments

Questions About Privacy

If you have questions about CFTC's privacy policy and information practices, you can email us at privacy@cftc.gov, or contact:
Chief Privacy Officer
Commodity Futures Trading Commission
1155 21st St., N.W.
Washington DC 20581
Phone: 202-418-5000
Fax: 202-418-5532