A deep dive into Federal Register Document 2025-22461 and its implications for privacy, business travel, and global data protection standards

The Trump Administration has proposed what may become the most invasive border data collection regime in modern history. Published in the Federal Register on December 10, 2025, U.S. Customs and Border Protection’s proposed revisions to the Electronic System for Travel Authorization (ESTA) would require approximately 14 million annual visa-waiver travelers to surrender unprecedented amounts of personal data—including five years of social media history, a decade of email addresses, and potentially their DNA.

For cybersecurity professionals, privacy advocates, and anyone doing business internationally, this proposal demands immediate attention. The 60-day public comment period closes February 9, 2026.

Download: 2025-22461 2025-22461.pdf234 KB.a{fill:none;stroke:currentColor;stroke-linecap:round;stroke-linejoin:round;stroke-width:1.5px;}download-circle

What Exactly Is Being Proposed?

CBP’s notice (OMB Control Number 1651-0111) outlines sweeping changes to how travelers from 42 Visa Waiver Program countries apply to visit the United States. The proposal cites Executive Order 14161, “Protecting the United States From Foreign Terrorists and Other National Security and Public Safety Threats,” signed in January 2025.

X’s Privacy Policy Pivot: From “Free Speech Absolutism” to EU Compliance — And Why Your Biometric Data Is Going to Israel

Mandatory Data Collection Requirements

The Federal Register document specifies these “high value data fields” will be collected “when feasible”:

Social Media (Mandatory)

  • Complete social media history from the past 5 years- All platforms and handles used

Contact Information

  • Personal telephone numbers used in the last 5 years- Email addresses used in the last 10 years- Business telephone numbers used in the last 5 years- Business email addresses used in the last 10 years

Family Member Information

  • Names of parents, spouse, siblings, and children- Family member telephone numbers used in the last 5 years- Family member dates of birth- Family member places of birth- Family member residencies

Biometric Data

  • Facial recognition data- Fingerprints- Iris scans- DNA

Technical Metadata

  • IP addresses from electronically submitted photos- Photo metadata

Capture or Use of Biometric Identifier Act (CUBI) protect Texans’ privacy

The Mobile App Mandate

Perhaps equally significant: CBP intends to decommission the ESTA website entirely. All applications would be submitted exclusively through the ESTA Mobile application. The stated justification centers on security vulnerabilities in the current web-based system:

  • Over 2,400 poor quality passport photo uploads detected- More than 8,000 invalid passport photos that bypassed facial comparison screening- Hundreds of fraudulent ESTAs created through counterfeit passport images- Ongoing issues with third-party fraudulent websites charging travelers without submitting legitimate applications

The mobile app enables Near Field Communication (NFC) verification of ePassport chips, liveness detection for selfies, and automated facial recognition matching—capabilities unavailable through web submission.

Voluntary Self-Reported Exit (VSRE) Pilot

The CBP Home mobile app will also enable a departure tracking system. Travelers can voluntarily provide:

  • Biographic data from travel documents- Facial images for biometric confirmation- Geolocation data to confirm departure from U.S. territory

CBP will use geolocation services and “liveness detection” software to verify that departing travelers are actually outside the United States when reporting their exit.

The Privacy and Security Implications

Unprecedented Data Aggregation

This proposal creates what Privacy International describes as “an unprecedented immigration system.” Consider the scale: over 70 million people visit the U.S. annually. If implemented, this could become one of the largest repositories of personal and biometric data ever assembled by a government agency.

The inclusion of ten years of email addresses—including business accounts—raises immediate questions about corporate data protection, attorney-client privilege, and competitive intelligence. A business traveler’s decade of professional communications infrastructure would become visible to federal authorities.

The Future of Biometric Data: Privacy and Compliance Challenges

AI-Enabled Analysis Is Inevitable

No human CBP officer will manually review five years of social media posts for each of the 14 million annual ESTA applicants. As Privacy International notes, AI tools like Retrieval-Augmented Generation (RAG) will almost certainly be deployed to scan, summarize, and make determinations about travelers’ digital histories.

This raises critical questions about algorithmic bias, lack of due process, and the potential for “AI-enabled automated decisions that have significant consequences to people’s lives and livelihood.” What training data informs these systems? What constitutes a red flag? Who audits the decisions?

The DNA Question

The inclusion of DNA is particularly striking. As noted in the Federal Register document, CBP lists “face, fingerprint, DNA, and iris” as biometric categories for collection. Currently, no smartphone enables DNA sample collection—making the inclusion seem aspirational rather than immediately practical.

But the policy groundwork is being laid. Travel commentator Ed Hasbrouck has observed that including DNA in the data collection framework establishes precedent for the day when such collection becomes technologically feasible at scale.

Children Are Not Exempt

Previous biometric collection programs exempted travelers under 14 and over 79. Recent policy changes have removed these age-based exceptions, meaning travelers of any age could be subject to these enhanced screening requirements.

Business and Economic Impact

The U.S. Travel Association expressed it is “deeply concerned” by the announcement. A study from the World Travel and Tourism Council and Oxford Economics projects the U.S. to be the only country among 184 measured to see a decline in foreign visitors—with estimated economic losses of $30 billion.

Compliance Considerations for Organizations

For CISOs and compliance officers, this proposal creates immediate planning requirements:

Data Inventory Questions

  • What business email addresses have employees used while traveling internationally?- How do you track five years of communication infrastructure changes?- What family member data might employees be required to disclose?

Policy Implications

  • Should corporate travel policies address social media disclosure requirements?- How do non-disclosure agreements interact with mandatory government disclosure?- What guidance should be provided to employees about personal device usage in light of CBP’s mobile app requirement?

Vendor and Partner Considerations

  • How will this affect international recruitment and talent mobility?- What due diligence is required when foreign partners visit U.S. facilities?- How should organizations prepare for potential retaliatory requirements from other nations?

Global Ripple Effects

History suggests other nations will follow the U.S. lead on border surveillance. After post-9/11 biometric programs were introduced, similar requirements spread globally. The European Union is currently launching its own biometric registration program for visitors.

Russia has already mirrored previous U.S. social media identifier requirements in its visa program. If DNA and comprehensive digital history requirements become normalized, expect parallel programs worldwide.

This creates a race to the bottom on privacy that affects everyone, everywhere.

Resources for Assessment and Response

Understanding your organization’s exposure to these requirements—and building appropriate data protection practices—requires comprehensive assessment tools.

Privacy and Compliance Tools

Children’s Privacy Laws Assessment - With age exemptions being removed from biometric collection, understanding how children’s data is handled becomes critical for family travel policies.

PII Compliance Assessment - Evaluate your organization’s personal data handling practices against evolving regulatory requirements, including cross-border data transfer implications.

Biometric Privacy Assessment - Assess your exposure to biometric data collection requirements and understand the privacy implications of facial recognition, fingerprint, and iris scanning programs.

Digital Twin Risk Assessment - As governments aggregate comprehensive digital profiles of travelers, understanding digital twin risks becomes essential for personal and organizational security planning.

How to Submit Comments

CBP is accepting public comments until February 9, 2026. Comments must include OMB Control Number 1651-0111 in the subject line and should be submitted in English.

Email: CBP_PRA@cbp.dhs.gov

For additional information: Seth Renkema, Chief, Economic Impact Analysis Branch U.S. Customs and Border Protection 90 K Street NE, 10th Floor Washington, DC 20229-1177 Phone: 202-325-0056

The Federal Register notice specifically requests comments on:

  1. Whether the proposed collection of information is necessary for the proper performance of agency functions2. The accuracy of the estimated burden (CBP estimates 22 minutes per ESTA application)3. Suggestions to enhance the quality, utility, and clarity of information collected4. Suggestions to minimize the burden on respondents

The Broader Context

This proposal doesn’t exist in isolation. It represents the latest escalation in a two-decade trend toward comprehensive border surveillance. What began with fingerprinting after 9/11 has expanded to include facial recognition, social media monitoring, and now potentially genetic data.

The technology industry faces a critical choice. Social media platforms will likely be pressured to provide deep-level access for government intelligence gathering. Phone manufacturers may eventually face requests to enable DNA collection capabilities. Every company in the travel ecosystem—from airlines to hotels to corporate travel management—must consider their role in this expanding surveillance infrastructure.

As Privacy International notes: “Now’s not the time to seek profit by enabling injustice, it’s the time to step up and protect everyone and our data.”

Key Takeaways

  1. The scope is unprecedented: Five years of social media, ten years of email addresses, family data, and biometrics including DNA2. Mobile app requirement: ESTA website will be decommissioned; all applications must use the mobile app with enhanced biometric verification3. AI analysis is coming: No human reviews this volume of data manually—algorithmic decision-making is inevitable4. Comment period is open: Deadline is February 9, 20265. Global implications: Other nations historically follow U.S. border surveillance practices6. Business impact: Corporate travel policies, employee data protection, and international recruitment all require reassessment

*The full Federal Register document is available at: *https://www.govinfo.gov/content/pkg/FR-2025-12-10/pdf/2025-22461.pdf

*Privacy International’s analysis: *https://www.privacyinternational.org/news-analysis/5713/trump-administration-wants-your-dna-and-social-media

This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal counsel regarding specific compliance requirements and travel policies.