What laws and policies authorize CBP to collect biometric data from travelers?
Executive summary
The Department of Homeland Security’s authority to collect biometrics at U.S. borders rests on a combination of statutory mandates in the Immigration and Nationality Act (INA), congressional requirements to build an integrated entry–exit system, and implementing DHS/CBP regulations formalized in a 2025 final rule titled “Collection of Biometric Data From Aliens Upon Entry to and Departure From the United States” (effective Dec. 26, 2025) [1] [2]. That regulatory package collapses prior pilot limitations, authorizes CBP to collect facial photographs (and in limited cases fingerprints) from noncitizens at airports, land ports, and seaports, and relies on existing information systems such as IDENT and the Traveler Verification Service to match biometric and biographic records [1] [3] [4].
1. Statutory backbone: the INA and congressional mandates
The legal foundation is rooted in the Immigration and Nationality Act, which gives DHS broad authority to inspect and control alien travel and explicitly contemplates requiring biometrics from aliens entering or leaving the United States; Congress has also mandated development of an integrated, automated entry–exit system to match biographic data and biometrics of aliens, which underpins CBP’s mission to verify identities and prevent fraud and overstays [1].
2. The 2025 DHS final rule: regulatory authorization and scope
DHS’s October 2025 Federal Register final rule amends DHS entry/exit regulations to authorize CBP to collect facial biometrics from all noncitizens upon entry and exit across multiple modalities, removes prior exemptions (including many Canadian visitors and diplomats), and eliminates the regulatory limits that had confined biometric exit collection to pilots at a small number of ports [2] [5] [6].
3. Implementation tools and agency systems named in the rule
CBP has operationalized that authority through technologies and systems referenced in the rule and agency materials: the Traveler Verification Service (a cloud-based facial biometrics matching service) and enrollment of noncitizen biometrics into DHS’s Biometric Identity Management System (IDENT) for verification; CBP’s privacy policy explains retention practices for U.S. citizen photos and confirms noncitizen biometric enrollments into IDENT [2] [4].
4. Regulatory detail and implementing CFR changes
The final rule aligns regulatory text in parts of the DHS entry/exit regulations—updating 8 C.F.R. provisions governing inspection and the collection of photographs and biometrics—and clarifies that biometric collection may occur at airports, land borders, seaports, and “any other authorized points” of departure or arrival, supporting CBP’s nationwide implementation plan [6] [3] [7].
5. Stated purposes, benefits, and supporters’ views
DHS and proponents frame the statutory/regulatory changes as necessary to prevent document fraud, detect imposters and criminals, reduce overstays, and meet the 9/11 Commission’s recommendation for biometric entry–exit—arguments emphasized in the Federal Register and agency releases and echoed by immigration-policy groups that support a comprehensive biometric system [1] [2] [8].
6. Critics, privacy framing, and procedural caveats
Opposition and privacy concerns are implicit in the record: while CBP asserts privacy safeguards (e.g., short-term retention for U.S. citizen photos and adherence to DHS privacy rules), civil liberties advocates and some stakeholders worry about scope creep, data sharing, and the removal of prior limitations; the final rule’s effective date (Dec. 26, 2025) authorizes collection but does not equate to instantaneous operational rollout for every travel mode, a distinction CBP has emphasized in guidance to aviation and travel partners [4] [9].
7. What the reporting does not resolve
The provided reporting documents the statutory basis, the final rule, and CBP systems, but it does not fully disclose operational implementation timelines for each modality, the precise limits on biometric types in practice beyond facial photos and “limited” fingerprints, nor exhaustive safeguards for third‑party access or international data sharing—areas where agency notices and future Federal Register entries will be required to fill in details [2] [6] [9].