FDA Issues Draft Guidance on Records Access for Cosmetics

Understanding What It Means for MoCRA Compliance and Industry Recordkeeping 

On January 21, 2026, the U.S. Food and Drug Administration released a new draft guidance document titled “FDA Records Access Authority for Cosmetics: Guidance for Industry.” This draft guidance clarifies how and when the FDA may exercise its expanded authority to access records related to cosmetic products under the Modernization of Cosmetics Regulation Act of 2022, or MoCRA. (U.S. Food and Drug Administration) 

MoCRA is the most significant update to cosmetic regulation in the United States in more than 80 years, and it grants the FDA new powers over record access, adverse event reporting, facility registration, product listing, safety substantiation and enforcement of certain compliance requirements. Record access has emerged as a critical piece of industry compliance because it affects what information companies must maintain and how they must respond to FDA requests. (U.S. Food and Drug Administration) 

This draft guidance explains the FDA’s current thinking on how it plans to implement its expanded record access authority. It is not yet final, but it provides a valuable window into the agency’s expectations for regulated companies and suggests how enforcement and inspections may operate once the guidance becomes final. (U.S. Food and Drug Administration) 

In this blog, we break down the key points from the draft guidance, what it means for cosmetic manufacturers, packers, distributors and other responsible persons, and what companies should do now to prepare. 

Why the Draft Guidance Matters 

MoCRA amended the Federal Food, Drug and Cosmetic Act to grant the FDA explicit authority to access and copy records related to cosmetic products in specific circumstances. Prior to MoCRA, the FDA’s power to request and review cosmetic company records was much more limited. MoCRA changes that by adding two new access authorities to the statute under Sections 605 and 610 of the FD&C Act and by amending the general inspection authority in Section 704 to apply to records covered by those sections. (U.S. Food and Drug Administration) 

The draft guidance seeks to clarify: 

• When the FDA may request access to records 

• What types of records may be subject to review 

• How the FDA expects regulated entities to respond to these requests 

• How the agency will handle confidentiality concerns 

• Common questions from industry about scope and process 

Understanding these points is essential for any company that makes, packs, distributes or is otherwise responsible for cosmetic products marketed in the United States. (U.S. Food and Drug Administration) 

Who Is Subject to the FDA’s Records Access Authority 

Under MoCRA, the entities subject to the FDA’s expanded record access authority include: 

• Responsible persons for cosmetic products, defined as the manufacturer, packer or distributor whose name appears on the product label 

• Facilities that manufacture or process cosmetic products for distribution in the United States 

These entities may be required to provide records to FDA during an inspection or when the agency has a reasonable belief that a product may be adulterated in a way that poses a risk of serious adverse health consequences or death. (U.S. Food and Drug Administration) 

The draft guidance makes it clear that the FDA’s authority to access records is part of its broader inspectional power under Section 704 of the FD&C Act, as amended by MoCRA, and that it may exercise this authority at reasonable times and in a reasonable manner once proper notice is provided. (U.S. Food and Drug Administration) 

Two Main Record Access Authorities in MoCRA 

The draft guidance centers on two specific provisions added by MoCRA that give the FDA power to access and copy certain records: 

1. Section 605 – Adverse Event Records Access 

Section 605 allows the FDA to access and copy records related to adverse event reports received by responsible persons during an inspection. This access applies while the FDA is conducting an inspection under Section 704 of the FD&C Act. (U.S. Food and Drug Administration) 

Under this authority, the FDA can request: 

• Communications between the responsible person and individuals who provided information about adverse events 

• Records of the responsible person’s assessment of whether the event was serious or non-serious 

• Copies of serious adverse event reports submitted to the FDA, including attachments, supplemental medical information and follow-up reports 

Records must be retained for six years after their creation. Small businesses that meet certain qualifying criteria may only need to retain these records for three years. The guidance also clarifies that records may be maintained in either paper or electronic formats. (U.S. Food and Drug Administration) 

2. Section 610 – Records Access When Products May Pose Serious Health Risks 

Section 610 provides the FDA with broader authority to access and copy records when the agency has a reasonable belief that a cosmetic product, including an ingredient of a product, is likely to be adulterated and that exposure or use may present a threat of serious adverse health consequences or death. This authority applies to both responsible persons and cosmetic facilities. (U.S. Food and Drug Administration) 

Under this authority, the FDA may request access to records such as: 

• Manufacturing and processing records 

• Raw materials receipt and testing records 

• Distribution and inventory records 

• Product analytical test results 

• Recall records 

• Customer distribution lists 

• Complaint records and adverse event files 

• Safety substantiation records 

The guidance clarifies that this authority does not extend to certain categories of information, including product formulas or recipes, financial or pricing data, personnel files (other than qualifications of technical personnel), research data not related to safety substantiation, or general sales data beyond shipment information. (U.S. Food and Drug Administration) 

When the FDA May Use Its Records Access Authority 

The draft guidance identifies several scenarios in which the FDA may exercise its authority to request records: 

• During routine inspections of manufacturing or processing facilities 

• In connection with product recalls or investigations into serious adverse health events 

• When consumer complaints raise concerns about safety 

• When laboratory sampling or testing suggests product safety issues 

• When the agency has reason to believe a product presents a threat of serious adverse health effects or death 

These examples are not exhaustive but give companies a practical view of when the FDA might seek records beyond routine inspection requests. (U.S. Food and Drug Administration) 

Retention and Organization of Records 

A core theme in the draft guidance is that records must be maintained in a way that allows them to be readily accessed and copied when requested by the FDA. For most companies, this means keeping: 

• Adverse event and related communications for at least six years 

• Manufacturing, distribution, safety substantiation and complaint records that may be relevant to a serious health risk investigation 

Small businesses qualifying under MoCRA provisions are subject to shorter retention periods for some records. Companies are also encouraged to ensure records are organized and labeled so that they can be located in a timely manner during an inspection. (U.S. Food and Drug Administration) 

The guidance recommends that protected information, such as product formulas or financial data, be clearly marked and safeguarded to ensure that it is not inadvertently provided when responding to a records access request. (U.S. Food and Drug Administration) 

Confidentiality and Protected Information 

The draft guidance confirms that certain categories of information are not subject to FDA access under MoCRA’s record access provisions. These include: 

• Product formulas or trade secret recipes 

• Financial and pricing data not necessary to demonstrate compliance 

• Personnel data unrelated to technical roles 

• Research data not necessary for safety substantiation 

• General sales data that does not include shipment records 

This clarification is important because it provides companies with guidance on where to draw boundaries during a record access request and what information the FDA is not seeking under MoCRA’s statutory authority. (U.S. Food and Drug Administration) 

Consequences for Refusing to Provide Records 

The draft guidance reiterates that refusal to grant the FDA access to records as required under MoCRA and the FD&C Act is a prohibited act under federal law. Potential consequences for refusal or failure to provide required records can include: 

• Civil action in federal court 

• Criminal prosecution 

• Refusal of admission for imported cosmetic products 

The guidance underscores the importance of cooperation during inspections and timely compliance with record requests.

What Companies Should Do Now 

Although the guidance is still in draft form and is open for public comment until March 23, 2026, companies should take steps now to prepare. At a minimum, regulated entities should: 

1. Review Current Recordkeeping Practices Evaluate whether adverse event, complaint, manufacturing and safety records are stored in formats that can be accessed and copied quickly. Ensure retention meets MoCRA requirements. (U.S. Food and Drug Administration) 

2. Update Procedures and Training Consider updating standard operating procedures around adverse event management, data retention, retrieval and inspection response. Train quality and regulatory teams on these expectations. (U.S. Food and Drug Administration) 

3. Identify Protected Information and Safeguards Determine where formulas, financial data and other protected information reside and establish procedures to protect them while still complying with record access requirements.

4. Prepare for Inspection-Ready Records Organize files so that records are easy to find and transfer to FDA teams during inspections. Establish a clear chain of custody for record access requests.

5. Submit Comments on the Draft Guidance Industry stakeholders should consider submitting comments on the draft guidance if they have concerns or ideas about how the guidance could be clarified before it becomes final.

Conclusion: Operational Clarity in a Changing Regulatory Landscape 

The FDA’s draft guidance on records access under MoCRA provides crucial insight into how the agency will implement its expanded authority to inspect and copy records related to cosmetic products. For an industry that has historically operated with limited FDA oversight in certain areas, this guidance signals a shift toward more defined procedural and documentation expectations. 

Cosmetic companies must take this guidance seriously. Recordkeeping practices will increasingly influence how inspections unfold, how compliance is demonstrated and how regulators evaluate product safety and risk. By understanding the scope of the FDA’s authority and preparing ahead of inspections, companies can reduce risk, streamline compliance and ensure they are ready for the next phase of MoCRA implementation.