If you hold a passport from the UK, France, Germany, Japan, or one of 40-plus other countries, you've likely enjoyed the simplicity of entering the United States without a visa. A quick ESTA application online, and you're cleared for up to 90 days of travel. That ease could soon become significantly more complicated.
U.S. Customs and Border Protection is reworking its approach to collecting digital information from travellers arriving under the Visa Waiver Program. The original version of the plan would have required every single applicant to hand over up to five years of social media history as part of their ESTA submission. The backlash was immediate and fierce. Privacy advocates, travel industry groups, and governments worldwide raised alarm bells about what this kind of data collection could mean for tourism, personal freedom, and digital privacy.
A More Selective Screening Process
Rather than scrapping the idea entirely, CBP is now considering what officials call a "waterfall approach." Think of it as a tiered system. Not every traveller would face the same questions. Instead, the amount of information requested would depend on how you answer initial questions in your ESTA application. Only certain applicants would trigger deeper digital scrutiny based on their responses. It's a pivot designed to address some privacy concerns while maintaining what border officials believe enhances security.
The details of what "deeper scrutiny" actually means are extensive and somewhat unsettling. Beyond social media usernames, the data collection could extend to phone numbers used over the past five years and email addresses spanning a decade. Officials are also considering requests for IP addresses, digital metadata, and family connections like details about your parents, spouse, or children.
Where Things Get Really Murky
Some earlier versions of the proposal mentioned biometric information as part of expanded security screening. We're talking fingerprints, facial recognition data, and iris scans. Even more controversial: earlier documents referenced DNA as a potential "high-value data field" for screening purposes. Given that DNA analysis has historically been confined to medical and criminal investigations, the mere suggestion of collecting genetic information from leisure travellers sparked serious concerns about where this could lead. It remains unclear whether DNA collection would survive in the revised version.
The timing question matters too. CBP has already stated the proposal won't roll out before or during major events like the 2026 FIFA World Cup. The earliest realistic implementation would likely come in late 2026, assuming further reviews don't derail the plan altogether.
Why the Travel Industry Is Worried Sick
The American Society of Travel Advisors, the World Travel & Tourism Council, and the U.S. Travel Association have all warned that stricter entry rules could make America a less attractive destination. When applying for travel requires surrendering years of digital history, potential visitors might simply choose somewhere easier. That matters enormously for airlines, hotels, tour operators, and small tourism businesses that depend on international arrivals to stay afloat.
Critics also flag a broader chilling effect. Requiring travellers to surrender years of social media activity raises real questions about digital freedom and self-expression. There's the practical worry too: how would such sensitive information, especially biometric data, be stored and protected? What happens if there's a breach? Some analysts suggest stricter US entry requirements could push travellers toward destinations with simpler processes, diverting valuable tourism revenue elsewhere.
The Security Argument
Homeland Security officials counter that the proposal exists for a simple reason: identifying potential risks before people arrive on American soil. They also note that physical device searches at the border remain relatively rare, affecting only a tiny fraction of arriving travellers. In their view, collecting more detailed digital information upstream prevents the need for intrusive searches downstream.
The truth is, this debate sits at the messy intersection of security and privacy, with no easy answers. Travellers, governments, and industry stakeholders will all be watching closely as the revised proposal moves through the review process. Until CBP releases more details on what this waterfall approach actually looks like in practice, anyone planning a US trip should stay informed about potential changes to entry requirements.
