CME Group General Privacy Notice

Effective November 17, 2023

CME Group Inc. and each of its subsidiaries and affiliates (collectively known as 'CME Group', 'we' and 'us') are committed to safeguarding your personal information. CME Group is the controller or processor of your personal information according to the privacy laws and regulations applicable to us. See section 17 below for details on how you can contact us.  

The purpose of this privacy notice (‘Notice’) is to explain how we process your personal information so that you understand what we collect, what we do with it, who we share it with and the rights available to you. The processing we undertake may include the collection, storage, modification, access, or destruction of personal information, and may be completed manually or through automatic means.

Personal information (also referred to as 'personal data' or 'data') means any information that can be used to identify you, your device, or, if you live in California, your household. This includes direct identifiers such as your name and contact details, but also indirect identifiers such as data that we may collect from the electronic device that you use to access our services.

If you have any questions about this Notice or how we use your data, our details are provided in the 'Contact details' section below.

Back to top

This Notice applies to you if you have any of the following relationships with us:

• Corporate Representative – you are a representative of any of our corporate customers (e.g. an employee or a director)
• Service User – you use any of our platforms or services
• Web Visitor – you visit our website at www.cmegroup.com, any of our social media pages or you interact with us via any third-party websites (e.g. comment on any of our blogs or posts published on a third-party website)
• Subscriber – you subscribe to receive communications from CME Group
• Purchaser – you purchase anything from us
• Communicator – you contact us either online, by telephone, post or any other method
• Supplier – you provide services to us or are employed by a company that provides services to us
• Third party customer – you are a customer of a third party and we have a relationship with that third party
• Shareholders – you hold a direct or indirect equitable interest in the CME Group
• Contributor – you contribute to our Political Action Committee (PAC) in the United States
• Scholarship candidates – you apply for a scholarship via the CME Foundation

If you are an applicant or candidate for one of our job opportunities, then you can find out more about how we use your data via our Candidate Privacy Notice and our Cookie Notice.

Back to top

Depending on the nature of the relationship you have with us, where you are located, and the products and services you utilize, we may collect and otherwise process the following personal information including, sensitive personal information in some cases about you:

• Account preferences and analytics
  Information regarding your stated preferences and relating to your use of our services.

• Audio, electronic, visual, or similar information
  Information including photographs taken in the workplace, at recruitment events or CCTV footage.

• Authentication details
  Your credentials which allow you to access our services, including: your user ID, password, memorable information.

• Communication records
  Records of any communications between you and us, including via email, our website (e.g. through our 'Send us feedback form'), telephone, social media and letter.

• Contact details
  Your name, title, home address, office address, company name and type, job role, email address, telephone number and mobile number.

• Device and electronic information
  Details we collect from your devices when you access our services: include your IP address, cookies, activity logs related to interactions with our systems, online identifiers, device type, operating system, browser, unique device identifiers, and geo-location data.

• Service usage
  When you are operating our services (e.g. one of our software applications) we will collect records of your usage including transactions that you undertake, information that you select, logs of when you access the services and for how long, details of any failed login attempts and any information that you choose to download.

• Identification information
  Information that is used to verify your identity such as: national insurance number (UK only), social security number, personal identify number (Sweden only), date of birth, place of birth, passport, driver’s license, and proof of address.

• Financial information
  Credit/debit card details.

• Financial status
  Information used to determine your credit worthiness, such as your credit rating, bank statements and tax information.

• Product and service preferences
  Product update preferences, market activities reports, trading and technology communications as well as clearing and market regulation advisories, and though leadership and economic report subscriptions.

• Professional information
  Your job role/title, function and details of the organization you work for.

• Social network information
  Social media account information and personal information collected from social media accounts.

• Website posts
  Posts, comments or other information you submit on any public forums on our website including message boards and chat rooms.

In addition, we may also collect the following categories of personal data about you, in very limited cases and in compliance with applicable laws, that may be of a sensitive nature:

• Biometric data
  Fingerprint data is captured for Financial Industry Regulatory Authority (FINRA) purposes and in certain situations when allowing access to individuals to our premises. 

• Criminal convictions
  Information relating to any criminal record that you may have, including suspicions, offences and convictions.

Back to top

In addition to any personal information that you provide to us directly, we may also collect and derive data about you through the following means:

• Cookies and similar technologies – when you visit our website or use any of our mobile applications, we may employ cookies and similar technologies. See section 13 below for further details.
• Monitoring of platforms and services – if you use any of our platforms (e.g. CME Globex) then we may collect data on your usage of these.
• Third party sources – other organizations may provide us with access to certain data, as further detailed in section 8 below.
• Data analytics – we may infer or derive certain data about you through our analytical processes, which are further explained in section 5 below.

Please see section 8 'Who we may receive your data from and why' for further information on the types of third parties from which we may receive your personal information.

Back to top

Depending on the nature of the relationship that we have with you, where you are located, the purposes for which we may use your data are as follows:

• Processing any application (made via online forms or click-through agreements) you make to become an individual member of CME
• Verifying your identity
• Performing Know Your Customer (KYC) or Anti-Money Laundering (AML) reviews
• Assessing your creditworthiness
• Providing you with customer services and assistance relating to our services
• Communicating with you in relation to any services that we provide to you
• Assisting you with managing any account you have with us
• Monitoring of how you use any service you have with us and our services
• Conduct profiling based on your interactions with us to identify individuals most interested in our products and services
• Sending you newsletters and marketing materials, if you have chosen to subscribe to receive them and otherwise advertising our products and services
• Personalizing our services
• Improving our products and services
• Registering your attendance at our events and conferences
• Assisting with training our staff and our customers
• Administration of our business
• Compliance with laws that are applicable to us
• Defending ourselves and bringing claims in relation to legal proceedings
• Safeguarding our environments
• Administration of our political action committee
• To assess scholarship applications
• Shareholder services
• Security and protecting our systems

To provide our services, some personal information is necessary so CME can provide you with the required access to CME platforms, information or products. CME also requires personal information to authenticate you so that we know it is you and not someone else. Should you choose not to provide the necessary personal information, we may be unable to facilitate your services or access. You may choose to opt-in or opt-out of receiving marketing communication at any time.

If you are located in the People's Republic of China ("PRC", for the purpose of this Notice, excluding the Hong Kong SAR, the Macau SAR and Taiwan), we process your personal information based on lawful basis permitted under Chinese data privacy laws (and not based on legitimate interests).

We are committed to only using your personal data to the extent relevant, necessary and permitted by applicable local laws.  Further information about the purposes for which we may use your data, the categories of personal information that are relevant to each purpose and the lawful basis we rely upon in the EU and elsewhere (as applicable) are outlined below.  We have also clarified under what circumstances this processing activity is likely to be performed, with reference to the relationship that you have with us. 

We may de-identify, aggregate or anonymize your personal information in such a way that you may not reasonably be re-identified by us or any other party. We may use such de-identified information as permitted under applicable local law.  To the extent we de-identify any personal information and are not required to re-identify it  to comply with  applicable laws, we will make  reasonable efforts to maintain and use such data in a de-identified form and will not attempt to re-identify the data.

Back to top

We may disclose your data to CME Group entities, service providers or other third parties for various purposes, to achieve our business objectives, and/or to comply with applicable laws. We have agreements in place with these external third parties who process your personal data to ensure their compliance with the applicable data protection laws.

We may disclose your personal information to the following parties to achieve our own purposes and not for money or other valuable consideration:

• CME Group – As needed facilitate our operations business, services and products.
• IT suppliers – including hosting providers, service providers and telecommunications providers to manage our business and support our environment and operations.
• Marketing providers – who may, through the course of their professional services to CME be required to have access to CME services for providing required system services i.e. hosting services, database marketing, customer analytics.
• Credit references agencies – to check your creditworthiness in relation to your credit score and financial status for us undertaking 'KYC' checks if you apply for membership with us.
• Third party payment providers – to process payments when you purchase products or services from us.
• Regulators and authorities – As a global company CME Group is subject to a number of financial and information regulators internationally. CME Group is also based in a number of jurisdictions and subject to those applicable laws. CME Group will therefore, as permitted by applicable laws, share information with these parties to cooperate fully with state, local, federal, and international legal, governmental and regulatory entities, authorities and officials in any investigation or governmental, legal or regulatory proceeding relating to any information collected or to any purported unlawful activities.
• Professional advisors – including accountants, financial advisors, lawyers and other professional advisors to support auditing, compliance and corporate governance functions.
• Law enforcement agencies – in relation to the detection and prevention of criminal activities, as permitted by applicable laws.
• Prospective purchasers and assignees – if our business, or part of it, may be or is sold or reorganized.

We may also share de-identified or aggregated information with anyone and for any purpose. To receive more information about the service providers or third parties to which we may disclose your data, you can contact us through the information provided in the 'Contact details' section below.

Back to top

We may process information collected from or about you in any country in which the CME group operates, as permitted by applicable laws.

In some cases, your information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for information under applicable laws (such as those in the European Union). When we conduct such transfers, we rely on your explicit consent (as required under applicable laws) and/or put in place appropriate safeguards (including without limitation signing standard contractual clauses) in accordance with applicable legal requirements.

Information located outside of your home country may be subject to access by that country's government or its agencies under a lawful order, as permitted by applicable laws.

We put in place appropriate procedures and safeguards in accordance with applicable legal requirements when conducting such transfers. For more information on the appropriate safeguards in place or to obtain a copy of these safeguards, please contact us through the information provided in the 'Contact details' section below.

People’s Republic of China (“PRC”):

All data, including personal information, as defined under the Personal Information Protection Law of PRC, provided to us by you will be used, distributed, and maintained in accordance with this Notice, which forms a part of the contractual terms that you agree to.  If you, as an institution, are providing us with this data, you confirm that you have obtained all the necessary consents from the relevant data subjects concerned, and your processing, use and transfer of data to us complies with all applicable PRC data privacy laws.  If you, as a natural person, are providing us with your personal information, you expressly give us consent to any processing, use or transfer of such data. In each data transfer above, you acknowledge and agree that the data may be transferred outside of the territory of the PRC.

Back to top

We may receive certain data about you from various third parties from time to time, including:

• CME Group – as needed to facilitate our business operations, services and products.
• Our corporate customers – we may receive information directly from our customers (e.g. the company that you represent)
• Third party agencies – who may provide us with information that they have collected from you on our behalf (e.g. companies that perform background checks on behalf of CME)
• Social media platforms – including publicly available information sources from social media pages or via services provided via social media platforms (e.g. LinkedIn, WeChat, Weibo, Facebook, X (formally Twitter), etc.)
• Third parties that you have a relationship with – if you are a customer of a third party and we have a relationship with that third party, we may receive information from them
• Publicly available government and non-government data – information about you that are available from the government or otherwise publicly available

Back to top

This section provides California residents with additional information regarding our collection, use, disclosure, and retention of their personal information, as well as the rights that California residents may have under applicable law.

Categories of personal information we collect

The chart below describes the categories of personal information we collect from the sources identified above in Sections 4 and 8 of this Notice, as well as the categories of third parties to whom we may disclose, “sell” or “share” (as those terms are defined under California law) each category of personal information for the business and commercial purposes described in Section 5 of this Notice.

¹ As defined under California law.

We may “sell” or “share” for cross-contextual behavioral advertising your personal information (as these terms are defined under California law). We do not have actual knowledge of “selling”^[1] or “sharing”² the personal information of consumers under the age of 16.

We do not use or disclose your sensitive personal information for purposes other than permitted under applicable law.

² As defined under California law.

Your California Privacy Rights

In addition to certain rights described in Section 10 of this Notice, you may have the following rights under California law:

• Opt-out – opt-out of “sales” of personal information or “sharing” of personal information for cross-contextual behavioral advertising purposes (as these terms are defined under applicable law)
• Not be discriminated against – not be unlawfully discriminated against for exercising your rights

Submitting Requests

To exercise your rights to know, access, correct, and delete, please review the additional information provided in Section 10 of this Notice.  To exercise your right to opt out of our “sale” or “sharing” of your personal information, please visit our Cookie Preference Center.

Verification

We may request that you provide sufficient information that allows us to verify, to a reasonable degree of certainty, that you are the person about whom we collected personal information. Authorized agents may also be required to provide a copy of your signed permission authorizing the agent to submit requests on your behalf.

California Online Erasure. California residents under age 18 who are registered users of any of our services geared toward this age group may ask us to remove content or information that you have posted to CME websites or related platforms by contacting us using the information in the ‘Contact details’ section below. Please note that your request does not ensure complete or comprehensive removal of the content or information, as, for example, some of your content may have been reposted by another user.

Back to top

Subject to local law, you may have the following rights regarding your personal information. These rights may be limited or denied in some circumstances. For example, we may retain your personal information where required or permitted by applicable law.

• Access/Know – request a copy of your personal information and information relating to how it is processed
• Rectify/Correct – request any inaccuracies in the personal information we hold about you be corrected
• Erasure/Deletion – request that we erase your personal information from our records
• Restrict – request that your data is no longer processed by us
• Object – object to certain ways that we process your personal information
• Transfer – request that your personal information be disclosed to a third party
• Withdraw your consent – where we are relying on your consent to process your personal information, then you can withdraw your consent at any time
• Lodge a complaint – you may be entitled to lodge a complaint with your local data protection authority.

If you reside in France, you also have the right to give instructions to us about the fate of your personal information after your death.

Submitting Requests

To exercise your rights to know, access, correct, delete, restrict, object, or portability under applicable local law or if you are an authorized agent seeking to exercise rights on behalf of a consumer under applicable local law, please contact us on the details set out in the 'Contact details' section of this Notice below. You may also exercise these rights via our Cookie Preference Center.

Please note that some of your rights are not absolute and there may be certain circumstances where we are unable to fulfill a request that you have made. In some circumstances we may also require that you provide additional personal information to confirm your identity.

Back to top

Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention.

CME may use automated analytics to identify individuals who would be most interested in our product, this may result in individuals being contacted about CME products or services.

Back to top

We use technical, administrative, and physical security safeguards and other reasonable security measures to protect the information that we collect or receive against loss and unauthorized access, use modification, or disclosure. Please be aware that, despite our ongoing efforts, no security measures are perfect or impenetrable. Moreover, we are not responsible for the security of information that you transmit to us over networks that we do not control, including internet and wireless networks.

Back to top

CME Group retains personal information for the duration of the business relationship or where required, in accordance with the internal records management and retention policies, as well as regulatory requirements that may be applicable to us.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these purposes through other means, and the applicable legal requirements.

We make reasonable attempts to ensure that all instances of such information (e.g. production, backups, etc.) are deleted in their entirety, including any of your personal information. For requests for access, corrections, or deletion please see "Contact Us" below.

Back to top

Please see our Cookies Notice for further information on how we use cookies on our website.

Back to top

Our website and services are generally not directed at children under the age of 18. If we obtain actual knowledge that any personal information we collect has been provided by a child under the age of 13, we will promptly delete that information. If you access our website from the EU/EEA or if you access an EU/EEA website, the age limit will be 16. If you access our website from the PRC or if you access a PRC website (if any), the age limit will be 14.

Back to top

There may be certain circumstances where we process your personal information on behalf of one of our customers and do not use it for our own purposes. For instance, our customer may upload your information to one of our applications which is hosted on our servers. In these circumstances, CME is acting a processor or a service provider in relation to another company that is the controller or business responsible for the handling of your personal information, as these terms are used in applicable data protection laws. This privacy notice will not apply to CME as a processor or service provider, and you should instead refer to the privacy notice of the organization that provides us with your personal information.

The above does not apply to CME Group under the applicable PRC data privacy laws, where no distinction between "data controller" and "data processor" is made. You should however still refer to the privacy notice of the organization that provides us with your personal information, where we would be deemed a third-party data processor.

Back to top

We may update this Notice from time to time. For instance, there may be changes in the data we collect about you or the purposes for which we use it.

Whenever there are significant changes to the Notice then we will notify you of these.

Back to top

If you have any comments, questions or concerns about how we process your data, then please contact Privacy Compliance at Privacy@cmegroup.com.

CME Group Inc.
20 S. Wacker Drive
Chicago, IL 60606

+1 312 930 1000
+1 866 716 7274 (US Only)

For the purposes of data protection in the EU/EEA:

The full list of companies across the CME Group and the contact details of each company can be found here.

• The CME Group has a designated Data Protection Officer registered for a number of CME entities. They can be contacted at Privacy@cmegroup.com

Back to top