The U.S. Food and Drug Administration (FDA) today published draft guidance clarifying its authority to access and copy cosmetic company records under the Modernization of Cosmetics Regulation Act of 2022 (MoCRA). The guidance, now open for public comment for 30 days, provides critical details for cosmetics manufacturers on record retention requirements, inspection authority, and consequences for non-compliance.
| Key Developments in Today's Guidance |
|---|
| What FDA announced: Draft guidance on records access authority for cosmetic products under MoCRA Sections 605 and 610 |
| Adverse event records: FDA can access during inspections; 6-year retention required (3 years for small businesses) |
| SAHCOD authority: FDA can access manufacturing and safety records when products present serious health threats |
| Protected information: Formulas, financial data, pricing, and personnel records remain confidential |
| Enforcement consequences: Refusal to provide records may result in civil/criminal penalties and import refusal |
| Public comment deadline: 30 days from Federal Register publication at regulations.gov (docket FDA-2025-D-2243) |
What This Means for the Cosmetics Industry
This latest FDA guidance update represents a significant step in implementing MoCRA, the most sweeping cosmetics regulation reform in over 80 years. The draft guidance clarifies long-awaited details on FDA's inspection and records access authority, helping companies understand compliance requirements before final rules take effect. "This guidance provides the clarity industry has been requesting since MoCRA was signed into law in December 2022," said regulatory experts following today's announcement. "Companies now have concrete information on what records to maintain and how to prepare for FDA inspections."Background: Understanding MoCRA
The Modernization of Cosmetics Regulation Act of 2022 (MoCRA), signed into law on December 29, 2022, represents the most significant update to cosmetic regulation since the Federal Food, Drug, and Cosmetic Act of 1938. MoCRA grants FDA new authorities including:- Mandatory facility registration and product listing
- Adverse event reporting requirements
- Safety substantiation requirements
- Enhanced records access and inspection authority
Details of Today's FDA Guidance
The draft guidance addresses FDA's records access authority under three sections of the Federal Food, Drug, and Cosmetic Act, as amended by MoCRA:Quick Reference: FDA Records Access Authority
| Record Type | Retention Period | FDA Authority |
|---|---|---|
| Adverse Event Reports | 6 years (3 for small businesses) | Section 605 - During routine inspections |
| Manufacturing & Safety Records | Varies by record type | Section 610 - When SAHCOD threat exists |
Section 605: Adverse Event Report Records
- Communications between the responsible person and anyone who provided information about adverse events
- Records of assessments determining whether events are serious or non-serious
- For serious adverse events: reports submitted to FDA, new medical information, and supplemental reports
Section 610: SAHCOD Records Authority
The guidance explains FDA's authority under Section 610 to access records when the agency has reasonable belief that a cosmetic product presents a threat of serious adverse health consequences or death (SAHCOD) to humans. When FDA may exercise this authority:- Product recalls
- Adverse event reports indicating serious health risks
- Consumer complaints suggesting SAHCOD threats
- Inspection or sampling results revealing dangerous conditions
- Manufacturing and processing records
- Raw materials receipt records
- Product distribution records
- Analytical test results
- Recall records
- Complaint and adverse event records
- Safety substantiation data
- Recipes or formulas for cosmetics
- Financial data
- Pricing data
- Personnel data (except qualifications of technical personnel)
- Research data (except safety substantiation)
- Sales data (except shipment data)
Real-World Scenarios That May Trigger FDA Action
The guidance provides specific examples of situations where cosmetic products may cause serious adverse health consequences or death:Microbial Contamination
Pathogenic or opportunistic microorganisms that may cause infection. Recent examples cited include:- Cleansing cloths contaminated with Burkholderia cepacia
- Alcohol-free mouthwash with bacterial contamination
- Eye area products contaminated with Pseudomonas aeruginosa
- Tattoo ink with microbial contamination
Chemical or Toxicological Hazards
Unsafe ingredients, impurities, or contaminants triggering acute reactions:- Products containing Benzimidazole pigments causing allergic reactions
- Cosmetic products with unsafe levels of heavy metals
Design or Use-Related Vulnerabilities
Product forms or applications causing unintended exposure:- Nail products containing toxic solvents
- Contaminated applicators
Enforcement: What Happens If Companies Refuse Access
Today's guidance makes clear that refusing to permit access to adverse event records or SAHCOD records during an inspection is a prohibited act under Section 301(e) of the FD&C Act. Potential consequences include:- Civil action in federal court to enjoin the violator
- Criminal prosecution in federal court
- Refusal of admission for cosmetic products offered for import into U.S. commerce
Next Steps: Public Comment Period Opens Today
The draft guidance is now open for public comment at regulations.gov under docket number FDA-2025-D-2243. FDA will accept comments for 30 days following publication in the Federal Register. Industry stakeholders are encouraged to submit comments on:- Practical implementation challenges
- Clarifications needed on specific provisions
- Timeline concerns for compliance
- Small business considerations
What Cosmetics Companies Should Do Now
Following today's FDA announcement, cosmetics companies should take immediate action to prepare for enhanced inspection and records access requirements:1. Review Current Record-Keeping Systems
Assess whether existing adverse event management systems can maintain records for the required retention periods (six years for most companies, three years for qualifying small businesses).2. Ensure Records Are Inspection-Ready
Organize adverse event records to include communications with reporters, seriousness assessments, and all reports submitted to FDA. Records should be readily accessible during inspections.3. Understand SAHCOD Triggers
While Section 610 authority applies only when FDA has reasonable belief of a SAHCOD threat, companies should understand what circumstances might trigger this authority and ensure relevant records are maintained and accessible.4. Verify Protected Information Safeguards
Ensure formulas, financial data, pricing information, and other protected records are clearly identified and properly safeguarded from unauthorized disclosure.5. Submit Comments to FDA
Companies with concerns or questions about specific provisions should submit comments during the 30-day public comment period.Frequently Asked Questions About Today's Guidance
When can FDA request access to my cosmetic records?
FDA can access adverse event records during routine inspections under Section 605. FDA can access broader manufacturing and safety records under Section 610 when the agency has reasonable belief that a product presents a threat of serious adverse health consequences or death.How long must I keep adverse event records?
Most companies must maintain adverse event records for six years after creation. Qualifying small businesses (those not manufacturing or processing certain categories of cosmetic products) must maintain records for three years.What records are protected from FDA access under MoCRA?
FDA's Section 610 authority does not extend to recipes or formulas, financial data, pricing data, personnel data (except qualifications of technical personnel), research data (except safety substantiation), or sales data (except shipment data).What happens if I refuse FDA access to records?
Refusing access is a prohibited act that may result in civil action, criminal prosecution, or refusal of admission for imported cosmetic products.What triggers FDA's SAHCOD records authority?
FDA may exercise Section 610 authority when aware of product recalls, adverse event reports, consumer complaints indicating SAHCOD risk, situations where specific products present SAHCOD threats, or inspection/sampling results revealing dangerous conditions.Do small businesses have different requirements?
Yes. Qualifying small businesses must maintain adverse event records for three years instead of six years. A qualifying small business is one that is not engaged in the manufacturing or processing of certain categories of cosmetic products.Can FDA access my product formulas?
No. Product recipes and formulas are explicitly excluded from FDA's Section 610 records access authority.When does this guidance take effect?
This is draft guidance that does not establish legally enforceable responsibilities. Draft guidance describes FDA's current thinking on a topic and should be viewed as recommendations unless specific regulatory or statutory requirements are cited. FDA will consider public comments before finalizing the guidance.About This Update
This article provides an overview of FDA's draft guidance on records access authority for cosmetics under MoCRA, published January 21, 2026. For the complete guidance document, visit FDA.gov. To submit comments, go to regulations.gov and search for docket FDA-2025-D-2243. We help cosmetics companies build adverse event programs and compliance systems that meet MoCRA requirements. If you have questions about how today's guidance affects your operations or need assistance preparing for inspections, we're here to help.Contact us today.
Last updated: January 21, 2026
