Traveler Privacy Protection Act of 2025
The Traveler Privacy Protection Act of 2025 would significantly restrict how the Transportation Security Administration (TSA) can use facial recognition technology in airports. The bill defines specific terms for facial recognition, biometric data, and identity verification, and prohibits broad collection and use of passengers’ biometric information. It creates separate rules for trusted traveler programs (like Global Entry, Nexus, etc.) and for general passengers, requiring clear notices and explicit consent for the use of facial recognition. The act emphasizes data minimization, limited retention, and strict safeguards against tracking, profiling, or discriminatory treatment. It also requires GAO oversight with annual (and then ongoing) reports on effectiveness, accuracy, potential bias, and privacy protections, and it tightens related aviation security laws to reflect these restrictions. In short, the bill moves the federal framework toward opt-in, highly surveilled-free passenger processing at airports, with limited, clearly defined uses of facial recognition and strong privacy, civil rights, and transparency protections.
Key Points
- 1Prohibitions and limitations on biometric data use
- 2- TSA may not capture, store, or process passenger biometric information via facial recognition for purposes beyond narrowly defined identity verification, with several explicit exceptions.
- 3Opt-in/opt-out framework for identification
- 4- Trusted Traveler Programs may use facial recognition at screening only under strict consent and opt-out provisions.
- 5- General passengers may be verified using approved IDs without biometrics unless they opt in to facial recognition; if they opt in, consent must be affirmative and clearly obtained before each use.
- 6Disclosure, notices, and equality
- 7- Clear notices at enrollment/renewal and at screening points to explain how biometric data will be used, stored, shared, and deleted.
- 8- Signage and announcements must enable easy opt-in/opt-out choices, and passengers who opt out must be treated equally without discrimination or harsher screening.
- 9Data minimization and retention limits
- 10- From 30 days after enactment, biometric data collected must be directly relevant and necessary for identity verification.
- 11- Biometric data may not be shared publicly, and storage is limited (1:1 matches kept only as long as needed; 1:N matches stored no longer than 24 hours after flight departure, with limited exceptions).
- 12- Images should generally be used only for identity verification and not for other purposes.
- 13Prohibition on passive surveillance and broad tracking
- 14- TSA may not use facial recognition to track or identify passengers outside screening locations, nor to profile or discriminate against individuals for exercising constitutional rights or for broad monitoring.
- 15Oversight and reporting
- 16- The Comptroller General (GAO) must study and report on the technology’s effectiveness, false positives/negatives, methodology, bias (disaggregated by age, race, ethnicity, sex), and privacy/civil rights implications, with annual unclassified reports and possible classified annexes.
- 17Testing/evaluation exceptions and pre-enactment data
- 18- Limited testing and evaluation can occur in a separate area under strict conditions, with notices under the Privacy Act and deletion of pre-enactment data that would violate the new rules.
- 19- Pre-enactment biometric data that would violate the new restrictions must be disposed of within 90 days of enactment.
- 20Legal amendments
- 21- The bill would add restrictions to the Aviation and Transportation Security Act and related sections to align with these privacy protections.