U.S. Customs and Border Protection (CBP) is reviewing a revised version of its proposal to collect social media information from travellers entering the United States under the Visa Waiver Program. The original plan would have required applicants to submit up to five years of social media history when applying through the Electronic System for Travel Authorization (ESTA). The proposal has triggered criticism from privacy advocates, travel organisations, and international stakeholders since it was first published.
The Visa Waiver Program allows citizens from more than 40 countries to travel to the U.S. for up to 90 days without a visa. Travellers from countries such as the United Kingdom, France, Germany, and Japan normally only need to complete an ESTA application before departure. The proposed changes would make social media identifiers a mandatory part of that process.
CBP is now considering a more targeted system instead of a universal requirement for all applicants. This approach is described by officials as a “waterfall approach”. It means that not every traveller would be asked for the same level of social media information. The amount of data requested would depend on the answers given during the ESTA application process. More detailed checks could be triggered only in specific cases.
The timeline for any possible implementation remains unclear. Officials have stated that the proposal will not be introduced before or during major events such as the FIFA World Cup in 2026. The earliest possible rollout would likely be in late 2026, depending on the outcome of further review.
The scope of data collection under the proposal goes beyond social media accounts. It may include phone numbers used over the past five years and email addresses used over the past decade. Travellers could also be asked to provide IP addresses and metadata linked to digital activity. Family-related information, such as details about parents, spouses, and children, is also included in the broader data set under consideration.
Some versions of the proposal also mention biometric information as part of expanded screening. Biometrics refers to physical characteristics that can be used to identify a person. These include fingerprints, facial recognition data, and iris scans. In addition, earlier documents have referenced DNA as a potential “high-value data field”. DNA is a unique genetic code found in every person. It is normally used in medical or criminal contexts, which is why its possible use in travel screening has raised concerns. It remains unclear if DNA collection would be implemented or adjusted in the revised version.
The travel industry has reacted strongly to the initial proposal. Organisations such as the World Travel & Tourism Council (WTTC), the American Society of Travel Advisors (ASTA), and the U.S. Travel Association have warned that stricter entry rules could discourage international visitors. They argue that complex application requirements may make the U.S. feel less accessible as a destination. Some industry leaders believe this could affect airlines, hotels, and smaller tourism businesses that depend on international arrivals.
Critics also point to broader concerns about privacy and surveillance. They argue that collecting large amounts of personal digital data could discourage people from expressing opinions online. There are also questions about how sensitive information, including biometric data and possibly DNA, would be stored and protected. Some analysts warn that stricter screening rules could shift travel demand toward destinations with simpler entry processes.
CBP and the Department of Homeland Security argue that the proposal is designed to strengthen border security. Officials say that more detailed digital information can help identify potential risks before travellers arrive in the United States. They also stress that only a very small number of travellers are subject to device or phone searches at the border. According to officials, most travellers pass through entry checks without any additional screening of their personal devices.
