What specific data retention and deletion rules govern TSA ConfirmID biometric images and which vendors process them?
Executive summary
TSA and DHS documentation present a layered, role-based set of retention rules for biometric facial images used in checkpoint identity verification: under normal operating conditions TSA says images are deleted immediately after identity is verified (or within 24 hours for TSA PreCheck Touchless ID), DHS/S&T deletes demonstration data within 180 days per a TSA record schedule, while CBP’s entry/exit rules treat U.S. citizens and noncitizens differently—CBP says U.S. citizen photos are discarded within 12 hours and noncitizen photos may be retained in DHS systems for long periods (up to 75 years) [1][2][3]. Reporting and agency pages also identify CBP’s Traveler Verification Service (TVS), DHS Science & Technology, and unspecified airport/airline camera partners as the primary processors involved in the ecosystem [2][4].
1. What the agencies say about routine deletion and short-term retention
TSA’s public materials stress deletion after verification: under “normal operating conditions” traveler data and images are deleted immediately after identity is verified and, specifically for TSA PreCheck Touchless ID, TSA says information is deleted within 24 hours of scheduled departure time [1][2]. TSA’s general digital-ID pages repeat that photos and personal data are deleted after identity is verified and “are not used for law enforcement, surveillance and not shared with other entities” in normal use [5].
2. The DHS/CBP retention rules that complicate the picture
Separate DHS/CBP entry-exit rules paint a different retention horizon depending on immigration status: CBP’s final rule and privacy materials state that U.S. citizen photos used for entry/exit are discarded within about 12 hours, while noncitizen biometric enrollments are ingested into DHS Biometric Identity Management systems and may be retained for decades—CBP has cited retention up to 75 years for noncitizen records [3][4]. Those CBP retention policies apply to the entry/exit program rather than the checkpoint‑only verification flows TSA describes, but the systems interoperate [2].
3. Which organizations actually handle and process the images
Agency documentation and press reporting identify the key processors: TSA leverages CBP’s Traveler Verification Service (TVS) to create secure biometric templates and perform matches, and DHS Science & Technology (S&T) receives anonymized, encrypted data for temporary analysis during demonstrations [2]. TSA also allows airport and airline partners to operate cameras and send images to TVS under an established process, meaning third‑party vendors and airport/airline contractors operate capture hardware and the TVS/CBCP cloud environment performs matching [2][4]. Public privacy policies from third‑party identity firms like CLEAR acknowledge data sharing relationships with DHS/TSA but do not appear in the provided sources as ConfirmID-specific processors [6].
4. Testing, exceptions and temporary retention for accuracy evaluations
Both TSA and independent reporting concede exceptions: TSA says it may temporarily retain photos and data “in rare instances” to test accuracy or for temporary evaluation and that data collected during field demonstrations are securely transferred for testing then deleted in line with DHS FIPPs and TSA’s PIAs [7][8][9]. DHS materials claim that any data saved for evaluation is subject to strict retention periods and deletion policies [9]. TSA officials have also described operational overwriting practices—for example, that images may be overwritten by subsequent scans in normal operations—while stressing that biometrics are not used to create machine‑learning loops to improve matching [10].
5. Oversight, dissenting views and political context
A bipartisan set of senators has demanded oversight of TSA’s facial recognition rollout, focusing on collection, retention, deletion practices and cybersecurity risks, and legislative proposals have sought to restrict TSA’s authority or require deletion of data obtained through its biometric technology [11]. Privacy advocates and some reporters highlight opacity in where data are stored and how exceptions are defined, noting potential for scope creep when TSA interoperates with CBP systems that have much longer retention rules for noncitizens [7][9].
6. Bottom line and limits of available reporting
The documented rules are mixed and context‑dependent: TSA asserts immediate deletion after verification (24 hours for Touchless ID) and DHS says demonstration data are deleted within 180 days, while CBP’s entry/exit regime retains noncitizen biometrics far longer (up to 75 years) and discards U.S. citizen photos much sooner (12 hours) [1][2][3]. The supplied sources do not mention a vendor named “ConfirmID” specifically; therefore it is not possible from these documents to confirm who—if anyone under that exact name—captures or processes TSA checkpoint images. Public documents do identify TVS/CBP, DHS S&T, airport/airline partners and third‑party identity companies as the operative processors in the biometric matching and capture ecosystem [2][4][6].