The bill adds a new subsection to 49 U.S.C. 44901 that constrains the Transportation Security Administration’s use of facial recognition and facial‑matching technology at airports. It draws a bright line: the TSA may not generally capture, store, or process passenger biometric information except in narrowly defined scenarios (document authentication and specified Trusted Traveler operations) and then only under strict notice, consent, and retention rules.
For operations, the Act requires affirmative, time‑limited consent regimes (opt‑in for ordinary travelers, opt‑out for Trusted Traveler enrollees), sets short retention windows for biometric matches, mandates deletion of previously stored images that would violate the new rules, and orders an annual GAO study of efficacy and bias. The change forces near‑term operational, vendor, and compliance adjustments across airports, the TSA, Trusted Traveler programs, and biometric suppliers.
At a Glance
What It Does
The bill amends 49 U.S.C. 44901 to prohibit routine capture, storage, or processing of passenger biometric data collected via facial recognition except for narrow uses: verifying ID documents and limited Trusted Traveler identity checks. It requires explicit passenger consent regimes, prescribes data‑minimization and retention limits (including a 24‑hour cap for certain 1:N matches), and compels disposal of pre‑existing biometric records that would violate the new rules.
Who It Affects
Directly affects the TSA and its screening operations, airports and airport operators responsible for signage and passenger flow, Trusted Traveler program operators (Global Entry, PreCheck, SENTRI, NEXUS), biometric technology vendors, and all non‑employee passengers traveling through U.S. airports. Airlines and state DMVs will face operational ripple effects tied to ID verification protocols.
Why It Matters
This bill establishes the first clear federal baseline restricting facial recognition inside airport screening, shifting the compliance burden onto the TSA and airports while tightening vendor data practices. For privacy officers and compliance teams it creates concrete timelines and technical constraints (retention, deletion, consent mechanics) that require changes to system design and operational procedures.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act inserts a new subsection into the federal aviation safety statute that starts by defining the vocabulary operators will use: it distinguishes 1:1 "matching" (comparing a live biometric to the photo on an ID) from 1:N "identification" (comparing a live biometric to biometrics already accessible to DHS). It defines who counts as a passenger (excluding employees and contractors) and lists the identification documents the TSA may rely on for non‑biometric verification.
The core rule is a default ban on capturing, storing, or processing biometric information from passengers for any purpose, with limited exceptions. The TSA may use facial‑matching technology to read or authenticate a photo on an ID document and may use facial matching at the screening location to verify the identity of Trusted Traveler enrollees — but only if the agency provides clear notice at enrollment and renewal, allows an opt‑out, ensures no discriminatory or worse treatment for those who opt‑out, and offers easily accessible signage and spoken notices at the point of verification.For passengers who are not in Trusted Traveler programs, the bill flips the choice: the TSA may only use facial matching at screening if the passenger affirmatively opts in before each use.
The bill requires the TSA to obtain "affirmative express consent" — an explicit act distinct from entering a checkpoint or agreeing to broad terms of service — and to make the opt‑in option visible and accessible before identity verification.Data‑minimization and retention rules are operational requirements. The TSA may capture facial images only to the degree necessary to verify identity, may not share biometric data outside the agency except in narrow testing contexts, and may not retain 1:N match data longer than 24 hours after the passenger’s scheduled departure (while images retained under testing are limited to 90 days).
The bill also forces the TSA to delete any biometric images already held that would violate the new rules within 90 days of enactment. Finally, the statute forbids the TSA from using facial recognition for passive surveillance, tracking passengers outside screening areas, or broad profiling and mandates an annual GAO report that assesses effectiveness, false positive/negative rates, bias, and makes privacy and civil‑rights recommendations.
The Five Things You Need to Know
The bill adds subsection (m) to 49 U.S.C. 44901 and defines two technical modes: 1:1 matching (live biometric vs. photo on an ID) and 1:N identification (live biometric vs. DHS‑accessible biometrics).
TSA may use facial matching for Trusted Traveler identity verification only after providing notice at enrollment and renewal, and must offer an opt‑out without imposing worse treatment for opt‑outs.
For non‑Trusted Traveler passengers the TSA may use facial matching at checkpoint only if the passenger provides affirmative express consent prior to each use; passive presence in a line is not consent.
Retention limits: biometric data from 1:N identification may not be stored longer than 24 hours after the passenger’s scheduled flight departure; testing data has a 90‑day deletion cap, and the TSA must delete pre‑existing biometric records that would violate the law within 90 days of enactment.
The Comptroller General must produce an initial report within one year and then annually assessing efficacy, false positives/negatives, bias (disaggregated by age, race/ethnicity and sex where practicable), and recommending privacy and civil‑rights protections; reports may include a classified annex but must protect passenger PII.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Sets the technical and programmatic terms the rest of the subsection uses
This early provision lays out precise meanings for 1:1 and 1:N, lists acceptable ID documents (driver’s licenses, passports, Trusted Traveler credentials, military IDs, certain Canadian documents, TWIC, etc.), and defines key program terms such as ‘‘Trusted Traveler Program’’ and ‘‘affirmative express consent.’’ That matters because compliance will turn on these definitions — for example, which documents allow non‑biometric verification versus when biometric checks are even permitted.
Default prohibition with narrow operational exceptions and consent regimes
This section establishes the operative rule: the TSA may not capture, collect, store, or otherwise process passenger biometrics for general use. It then carves out two narrow uses: document authentication (reading a photo on an ID) and identity verification at the screening location for Trusted Traveler participants. The provision also prescribes different consent regimes: Trusted Traveler enrollees must be given opt‑out options at enrollment/renewal and at the point of verification; ordinary passengers must affirmatively opt in prior to each biometric use. The text enumerates required signage, spoken notices, and the non‑retaliation rule (no worse treatment for opting out or not opting in).
Limits how much biometric data may be collected, shared, and how long it may be retained
The bill requires the TSA to capture facial images only to the extent necessary to verify identity, forbids sharing biometric data outside the agency except in limited circumstances, and sets concrete retention caps — most notably a 24‑hour maximum for biometrics collected via 1:N identification. The provision also restricts comparisons to the passenger’s provided ID photo unless operating a Trusted Traveler program, constraining secondary uses of captured images.
Testing is allowed on a narrow, transparent basis; the agency must purge legacy records
The TSA may retain images for testing and evaluation in a segregated area, but only under strict notice (Privacy Act notice), with clear limits on storage (images deleted within 90 days) and a prohibition on repurposing test images. Separately, the statute requires the TSA to dispose of biometric images collected prior to enactment that would violate the new rules within 90 days, creating an immediate data‑sanitation obligation for the agency and its contractors.
No tracking passengers outside screening or broad profiling
The bill flatly bans the TSA from using facial recognition to track or identify passengers outside screening locations, to profile or target individuals for exercise of Constitutional rights, or to enable systemic, wide‑scale monitoring. Operationally, that prevents use of terminal cameras or networked CCTV tied into facial‑matching systems for routine passenger surveillance.
Annual evaluation, reporting requirements, and modifications to related aviation statutes
The Comptroller General must issue an initial and then annual unclassified report (with optional classified annex) evaluating effectiveness, error rates, bias (disaggregated where practicable), and recommending protections. The bill also amends the Aviation and Transportation Security Act and 49 U.S.C. 44903 cross‑references to ensure other aviation security authorities are subject to these new restrictions, preventing regulatory loopholes that could otherwise permit broader biometric uses.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Air travelers who wish to avoid biometric tracking — they gain a statutory right to decline facial recognition at checkpoints or to opt out of Trusted Traveler biometric checks without being penalized.
- Privacy and civil‑liberties organizations — they obtain a federal baseline that curtails data collection, mandates deletion of legacy images, and requires oversight reporting on bias and error rates.
- Passengers enrolled in Trusted Traveler programs who prefer non‑biometric verification — the bill guarantees an opt‑out and affirmative notice at enrollment and renewal so they can choose a document‑based alternative.
- Communities and groups disproportionately affected by facial recognition errors — short retention windows and a ban on passive surveillance reduce the exposure window for misidentification and large‑scale tracking.
Who Bears the Cost
- Transportation Security Administration — must redesign workflows to capture consent, implement opt‑in/opt‑out paths, add signage and spoken notifications, audit vendor practices, purge legacy data, and support GAO testing requests.
- Airport operators — must place notices across check‑in, checkpoints and gates, modify passenger flow and queueing to accommodate non‑biometric verification lanes, and coordinate with TSA on space and signage.
- Biometric technology vendors and integrators — face technical redesigns to support per‑use consent, limited retention windows, segregated testing environments, and contract changes to comply with disposal mandates.
- Trusted Traveler program administrators and enrollment centers — must provide clear notice at enrollment and renewals, build opt‑out workflows, and ensure identity verification alternatives without degrading the passenger experience.
Key Issues
The Core Tension
The central dilemma is between protecting individual privacy and civil‑liberties interests by sharply limiting biometric collection and requiring explicit consent, and preserving the throughput, automation, and security benefits the TSA and airports claim facial‑matching technologies provide; the bill favors privacy and consent at the potential cost of operational complexity, additional expense, and possible impacts on screening efficiency.
Implementation will be operationally messy. Requiring affirmative express consent "prior to each use" and distinct opt‑out/opt‑in flows creates throughput friction at busy checkpoints; TSA and airports will need new queue management, staff training, and interface changes to avoid delays.
The statute's retention windows (24 hours for 1:N matches, 90 days for testing, 90 days to purge legacy data) are explicit but may not align with investigative or operational needs in practice, raising the risk of either rushed deletions or informal workarounds. The bill limits sharing of biometric data "outside the Administration," but it does not fully map interagency data flows (e.g., between TSA and CBP or law enforcement) in all contingencies, leaving room for legal and procedural disputes about access during investigations or incidents.
The consent regime raises practical questions about equity and informed choice: passive signage and spoken announcements can meet the notice requirement on paper but may not suffice for non‑English speakers, people with disabilities, or travelers under time pressure. The testing exception is narrowly scoped, but without robust auditing and public transparency testing data could become a de facto operational dataset.
Finally, the law addresses retention and deletion but not in detail the verification of deletions, contractor compliance, or penalties for non‑compliance — enforcement will depend on subsequent rulemaking, contracts, and oversight practices.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.