Check ESTA Status
ESTA news, information and help.

ESTA Visa Waiver Data Privacy

Updated: Jan 21, 2024  | Tags: ESTA, Visa Waiver Program, ESTA Data Privacy

The Electronic System for Travel Authorization (ESTA) is an automated system used by the United States Department of Homeland Security (DHS) to determine the eligibility of visitors to travel to the U.S. under the Visa Waiver Program (VWP). The program allows citizens of participating countries to travel to the United States for tourism or business for stays of 90 days or less without obtaining a visa. While ESTA has streamlined the process for entering the U.S., it has also raised concerns regarding the privacy of the data collected from applicants. This article delves into how the Customs and Border Protection (CBP) and DHS handle ESTA applicant information and the circumstances under which this data may be shared with third parties.

Data Collection and Use by CBP and DHS

When applying for an ESTA, travelers are required to provide detailed personal information. This includes biographical data (such as name, date of birth, and country of citizenship), passport details, and answers to eligibility questions regarding criminal history, communicable diseases, and past travel to certain countries. The primary purpose of collecting this information is to assess the traveler's eligibility to enter the U.S. under the VWP.

The CBP, a component of the DHS, is responsible for reviewing ESTA applications. The information provided is checked against various databases, including law enforcement, immigration, and counterterrorism databases, to determine whether the applicant poses a security or law enforcement risk. CBP uses advanced data analytics and risk assessment techniques to flag individuals who may require further scrutiny or are ineligible for travel under the VWP. This process is crucial in enhancing border security while facilitating legitimate travel.

Data Sharing with Third Parties

The sharing of ESTA data with third parties is a topic of particular interest and concern. The DHS has agreements with certain foreign governments and international organizations for the purpose of information sharing to enhance security. Under these agreements, ESTA data can be shared with foreign governments, but only in accordance with U.S. law and international agreements. Such sharing is typically limited to information pertinent to the prevention of terrorism or other serious transnational crimes.

In addition to foreign governments, the DHS may share ESTA data with other U.S. government agencies for purposes consistent with its mission. These agencies include the Department of State, the Federal Bureau of Investigation (FBI), and the National Counterterrorism Center (NCTC), among others. The sharing of data is done in a controlled manner, governed by strict protocols and oversight to ensure that privacy and civil liberties are protected.

Data is not shared frivolously and remains within rules set out by the Privacy Act System of Records Notice and these regulations can be found on the DHS website. There are a few instances where data may be shared outside of the ESTA framework. Those instances include:

  • The sharing of information with different sectors of the DHS - This sharing is selective and compartmentalized so that the information and the information may only be used if the use is in correlation to the sector’s duty.
  • Consular offices of Department of State - This sharing is in the aftermath of a travel authorization denial and is for the specific purpose of helping the officers make a decision regarding the visa based on the information that is supplied.
  • Sharing of relevant information with recognized and proper federal, state, local, tribal and foreign governmental agencies - These include other joint government institutions.
  • Sharing of information can be determined by the DHS is they find that the sharing of the information can be directly beneficial for anti-terrorist motions, or if it is used for compiling information related to national and/or international criminal background checks.
  • Airline and sea carriers - The carriers only have access to your status. They receive no personal information other than that directly pertaining to the final status of your ESTA travel authorization.

Data Protection and Privacy Concerns

The DHS and CBP are acutely aware of the privacy concerns associated with the collection and sharing of personal data. As such, they have implemented a range of safeguards to protect the privacy of ESTA applicants. These measures include data encryption, access controls, and regular audits to ensure that data is handled securely and in compliance with privacy laws and regulations.

In addition to technical safeguards, the DHS has privacy policies and procedures in place to govern the collection, use, sharing, and retention of ESTA data. The DHS Privacy Office plays a key role in ensuring that these policies are adhered to and that the privacy rights of individuals are respected. Applicants also have certain rights regarding their data, including the right to access their ESTA application and to request corrections to any inaccuracies.

Retention and Disposal of Data

The retention of ESTA data is another important aspect of data privacy. The DHS retains ESTA information for a period that is consistent with its mission and legal requirements. Generally, ESTA data is retained for a period of three years from the date of submission or until the passport associated with the ESTA expires, whichever comes first. After this period, the data is archived for an additional twelve years to support law enforcement, national security, or investigatory purposes.

Once the retention period expires, the data is disposed of in a secure manner to prevent unauthorized access or use. The DHS has strict procedures in place for the disposal of sensitive information, ensuring that the privacy of individuals is protected even after the data is no longer needed.

If data is not disposed of, it will be be archived after expiry of the travel authorization. This is to ensure the availability of the information so that it can be recovered should it be needed for national security, investigation, and other related law enforcement purposes. There is limited access to the data after it has been archived and it will be recalled only for the purposes mentioned above.


The ESTA Visa Waiver Program plays a vital role in facilitating travel to the United States while maintaining national security. The collection, use, and sharing of ESTA data by the DHS and CBP are governed by robust privacy and data protection measures. These measures are designed to balance the need for security with the protection of individual privacy rights. While concerns about data privacy are valid, the DHS and CBP have demonstrated a commitment to handling personal information responsibly and transparently. As the landscape of international travel and security evolves, ongoing efforts to enhance privacy protections will remain a key priority for the DHS and its component agencies.