The privacy of visitors to our websites, www.cftc.gov, www.SmartCheck.gov, and www.WhistleBlower.gov, is of the utmost importance to the CFTC. You are not required to give us any personal information to visit our websites. While we automatically collect certain data for statistical purposes, that data does not include your name, mailing or email address.
Information Collected and Stored Automatically
If You Choose to Send Us Personal Information
Sharing of Your Information
Linking to Other Websites
Use of Social Media Sites
Intrusion Detection Monitoring and US-CERT EINSTEIN Program
Other Privacy Information: Systems of Records Notices and Privacy Impact Assessments
Questions About Privacy
If you visit the CFTC websites to read or download information, such as press releases or publications, we will collect and store certain technical information about your visit. We do not collect your name, email, mailing address or similar identifying information. We only collect the following:
- on your end, the name of the domain (the machine or website) from which you access the Internet (for example, aol.com if you are connecting from an America Online account) and/or the name and Internet Protocol (IP) address of the server you are using to access the CFTC website (the IP address is a series of numbers that identifies a server or computer connected to the Internet);
- the name and version of the web browser used to access a CFTC web page (for example, Microsoft Explorer or Firefox);
- on our side, the name and IP address of the CFTC server that received and logged the request;
- the date and time the request was received, and
- the information you are accessing (for example, which page or image you choose to read or download).
We use this information to measure the number of visitors to the different sections of our websites, assess system performance and to help us make the websites more useful to our visitors. In the event of a suspected cybersecurity threat or potential computer security incident, such data may be manually analyzed to allow computer security specialists to identify Internet service providers and, in extreme cases, to attempt to identify the specific computer and individual involved in an attack on the CFTC’s sites. The information below on “Intrusion Detection Monitoring and US-CERT EINSTEIN Program” further explains this.
The information being collected automatically, as explained above, is collected through the use of “session cookies” set through Google Analytics. “Session cookies” are small bits of text placed on a user’s hard drive for the duration of a web session, i.e., for as long as your browser is accessing the CFTC website at one time. As soon as you close the CFTC website, the cookie expires.
The CFTC does not use “persistent cookies,” which are small bits of text saved on a user’s hard drive in order to identify that user, or information about that user, the next time the user logs on the a web site. However, for some videos that are visible on our websites or available on YouTube, a "persistent cookie" may be set by the third party providers when you click to play the video.
You may choose to provide CFTC personnel information which personally identifies you. For example, you may complete an on-line form, request materials, send a complaint concerning a regulated person or entity, report suspicious activity, send a comment or input on a proposed rule, or email the CFTC through our websites. Such information is used to respond to your request and to help us get you the information you have requested. We also use the information for the specific purposes identified on each form or on the web page requesting information.
For example, if you send us a comment letter on a proposed rule, that letter becomes part of the CFTC’s comment file and generally is available to the public. The comments help the CFTC and other members of the public evaluate proposed Commission actions. If you register on www.cftc.gov and submit large trader data through the Position Entry for Reportable Traders application (PERT Online), this data will be used by the Commission for market oversight, e.g., oversight of trader activities and enforcement of speculative position limits.
If you choose to provide personal information, you are consenting to the CFTC’s use of that information and allowing the information to be shared with CFTC employees and contractors to conduct official business. Such employees and contractors are subject to confidentiality restrictions to protect your personal information. The information may also be shared by the CFTC with third parties to advance the purpose for which you provide the information, including law enforcement, foreign government authorities, and other federal or state government agencies. Your information will only be used to perform official business for which it was collected and for other uses compatible with the purposes for which it was collected. For example:
- If you report suspicious activity that suggests a violation of the Commodity Exchange Act, the information you have provided may be shared with law enforcement, foreign government authorities, and other federal or state agencies. In this situation, the primary use of your PII would be to enable the government to contact you in the event we have questions regarding the information you have reported.
- If you populate a Tip, Complaint or Referral (TCR) form to be considered as a whistleblower under the Dodd-Frank Act, the information you have provided may be disclosed to the Whistleblower Award Determination Panel, and depending on whether you have requested anonymity and the extent of the investigation into your allegations, to law enforcement, foreign government authorities and other federal or state agencies, in accordance with the Commodity Exchange Act. In this situation, the primary use of your PII would be to:
a. Evaluate the merit of an award;
b. Allow for the payment of monetary awards to eligible whistleblowers;
c. Investigate the information you have provided to determine whether a violation of law has occurred; and
d. Provide anti-retaliation protections for whistleblowers that share information with or assist the CFTC, as limited by the Commodity Exchange Act (CEA).
Under certain circumstances, the CFTC may be required by law to disclose information you submit to other authorities for official purposes, for example, to respond to a Congressional inquiry or subpoena.
When you choose to provide information to the CFTC by email, voicemail, through the CFTC websites or other means, you are consenting to the CFTC using the information provided therein, including PII, in accordance with this notice and the applicable Privacy Act of 1974 system of records notices.
Your personal information will be protected from misuse while in the possession of the CFTC. Management, operational and technical controls are in place with the goal of ensuring the confidentiality, availability, and integrity of the PII. If a potential incident or incident is suspected or confirmed involving the loss or unauthorized disclosure of sensitive personal information and would likely result in substantial harm to individuals, CFTC will endeavor to contact all affected parties in a timely manner, unless doing so would pose risks to the investigation of the potential incident or incident. The CFTC will work to ensure that swift and appropriate action is taken to mitigate risks.
We provide links to Federal and non-Federal websites if we think they may be useful to our visitors or necessary for the performance of agency functions. These include commercial websites such as Facebook, Twitter, Flickr and YouTube.
When you follow a link to a non-CFTC website, you will first be directed to a web page that reminds you that you are leaving our website and that the website you are about to visit is not endorsed by the CFTC. These other websites are not within the CFTC’s control. The CFTC does not guarantee the accuracy or completeness of any information on these sites. Be aware that the privacy protection provided to you on our websites may not be available at the external link. Once you link to another site, you are subject to the policies of that site.
The CFTC uses Twitter, Facebook, Flickr, YouTube and other Social Media Sites to provide information to the public and fulfill its mission of protecting market participants and the commodity and futures markets from fraud, manipulation and abusive practices. Flickr and YouTube allow the CFTC to post pictures and videos that may be of interest to the public. Facebook allows the Commission to reach out to a different audience, those who may not seek out our websites. Twitter allows us to post microblogs known as “tweets,” i.e., text-based posts of up to 140 characters and quickly notify reporters, the public and other “followers” of a new press release, upcoming event or other information of interest.
Using these media, the CFTC will only collect, maintain, or disseminate personally identifiable information (“PII”) found on Social Media Sites (“SMS”) in two situations.
One, for Public Affairs purposes, comments about the CFTC on SMS pages may be reviewed internally, and for newsworthy posts, included in internally-circulated daily news clips with the author's name and affiliated organization if publicly-available. Two, for enforcement purposes, when necessary for an investigation or enforcement proceedings (such as suspected violations of the Commodity Exchange Act or a threat of violence against the Commission), information obtained from the Internet may be collected and preserved. The information collected is offered to the Commission with consent or is from publicly-available sources on the Internet, except that in limited enforcement situations, when other investigative avenues are limited, a specifically approved Commission staff member may act as a member of the public by using a username and profile not affiliated with the CFTC to seek information about business opportunities that may violate the Act, simulating the day-to-day customer experience.
Personal information collected and maintained by the CFTC are protected from unauthorized access and misuse through comprehensive administrative, technical and physical security measures. Administrative measures include a privacy governance structure, mandatory annual privacy and security training for all CFTC staff, internal policies and controls over data handling practices, and regular auditing of systems. Technical security measures within CFTC include restrictions on computer access to authorized individuals, required use of strong passwords that are frequently changed, use of encryption for certain data types and transfers, and regular review of security procedures and best practices to enhance security. Physical measures include restrictions on building access to authorized individuals only and maintaining records in lockable offices and filing cabinets.
The CFTC uses software programs to monitor this website for security purposes to ensure it remains available to all users and to protect information in the system. By accessing our websites, you are expressly consenting to these monitoring activities. Unauthorized attempts to defeat or circumvent security features; to use the system for other than intended purposes; to deny service to authorized users; to access, obtain, alter, damage, or to destroy information; or otherwise to interfere with the system or its operation are prohibited. Evidence of such acts may be disclosed to law enforcement authorities and result in criminal prosecution under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act of 1996, 18 USC 1030, or other applicable criminal laws. Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits.
The CFTC’s information systems also are protected by EINSTEIN cybersecurity capabilities, under the operational control of the U.S. Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT). Electronic communications with the CFTC may be scanned by government-owned or contractor equipment to look for network traffic indicating known or suspected malicious cyber activity, including malicious content or communications. Electronic communications within CFTC will be collected or retained by US-CERT only if they are associated with known or suspected cyber threats. US-CERT will use the information collected through EINSTEIN to analyze the known or suspected cyber threat and help the CFTC and other agencies respond and better protect their computers and networks. For additional information about EINSTEIN capabilities, please see the EINSTEIN program-related Privacy Impact Assessments available on the DHS cybersecurity privacy website along with other information about the federal government’s cybersecurity activities. See, for example, The EINSTEIN Program and DHS Privacy & FOIA Reports.
The CFTC regularly publishes information in the Federal Register on its systems of records maintained under the Privacy Act of 1974. See CFTC Privacy Act Systems of Records Notices.
Chief Privacy Officer
Commodity Futures Trading Commission
1155 21st St., N.W.
Washington DC 20581
Updated 8 December 2015