ARTICLE
5 February 2026

FDA's Draft Guidance For Cosmetics Industry Explains Records-Access Authority During Inspections

WR
Wiley Rein

Contributor

Wiley Rein logo
Wiley is a preeminent law firm wired into Washington. We advise Fortune 500 corporations, trade associations, and individuals in all industries on legal matters converging at the intersection of government, business, and technological innovation. Our attorneys and public policy advisors are respected and have nuanced insights into the mindsets of agencies, regulators, and lawmakers. We are the best-kept secret in DC for many of the most innovative and transformational companies, business groups, and nonprofit organizations. From autonomous vehicles to blockchain technologies, we combine our focused industry knowledge and unmatched understanding of Washington to anticipate challenges, craft policies, and formulate solutions for emerging innovators and industries.
Explore Firm Details
The U.S. Food and Drug Administration has issued a draft guidance reminding the cosmetics industry that the agency can access a variety of business records during an inspection of a product's responsible person and manufacturing/processing facility.
United States Food, Drugs, Healthcare, Life Sciences
Ann M. Begley,Rebecca L. Dandeker, and Edith Nagy
Ann M. Begley’s articles from Wiley Rein are most popular:
  • within Food, Drugs, Healthcare and Life Sciences topic(s)
Wiley Rein are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring topic(s)
  • with readers working within the Insurance industries

The U.S. Food and Drug Administration (FDA) has issued a draft guidance reminding the cosmetics industry that the agency can access a variety of business records during an inspection of a product's responsible person and manufacturing/processing facility. The refusal to permit access to or copying of such records is a prohibited act under the Federal Food, Drug, and Cosmetic Act (FD&C Act). Like the recent draft guidance on FDA's mandatory recall authority for cosmetics, this guidance was developed by FDA's Office of Inspections and Investigations (OII) in collaboration with the Office of the Chief Scientist (OCS), which oversees the regulation of cosmetic products.

Released on January 22, 2026 and entitled "FDA Records Access Authority for Cosmetics: Guidance for Industry" (91 FR 2779), the draft guidance describes FDA's legal authority for accessing and copying these records, which often contain confidential business information. FDA confirms that it will protect a company's trade secrets as well as personal privacy information, and will guard against the unauthorized disclosure of non-public information. The guidance, when finalized, is intended to inform beauty and personal care product stakeholders about the criteria, process, and expectations for FDA's access to product records under the Modernization of Cosmetics Regulation Act of 2022 (MoCRA). Comments on this draft guidance are due to FDA by March 23, 2026.

Background – FDA's Statutory Authority to Access and Copy Cosmetics Records

FDA's MoCRA records-access authority was enacted via Section 605 (21 U.S.C. 364a) and Section 610 (21 U.S.C. 364f) of the FD&C Act, and via an amendment to FDA's long-standing inspectional authority at Section 704(a)(1) (21 U.S.C. 374(a)(1)).

Section 605 requires that responsible persons must receive and maintain records of any adverse event reports associated with the use in the U.S. of a cosmetic product, and keep them in paper or electronic format for a period of six years, or three years for small businesses. Responsible persons must also submit serious adverse event (SAE) reports to FDA within 15 business days, and submit any new and material medical information related to each SAE for one year. FDA may access and copy all company records related to the adverse events and SAEs during an inspection conducted under its facility inspection authority.

Section 610 authorizes FDA to access and copy any records related to a cosmetic product if FDA "reasonably believes" that the product is likely to be adulterated (including any other product likely to be affected in a similar manner), and the use of or exposure to the product presents a threat of "serious adverse health consequences or death to humans" (SAHCOD). FDA may access records that it believes are necessary to assist it in making its determination of adulteration and SAHCOD. As described below, FDA views this as a broad category of records.

Section 704 describes FDA's general authority to conduct inspections of facilities that manufacture, process, pack, or hold an FDA-regulated product. FDA's authority now includes the inspection of all records and other information described in Sections 605 (adverse events) and 610 (adulterated and SAHCOD products) from responsible persons and facilities that manufacture and process cosmetic products.

FDA's Draft Guidance – Questions and Answers on the Agency's Authority to Access and Copy Records

In its first section, the draft guidance restates the MoCRA definitions for terms that are relevant to FDA's authority to access and copy records (see pages 4-6). Thereafter, the guidance provides helpful examples of what types of records are and are not subject to FDA inspection (see page 6 and 8), as well as for situations in which cosmetic products may cause SAHCOD (see pages 9-11). Lastly, FDA confirms that it will maintain the confidentiality of protected information, and identifies the potential consequences if a company refuses to permit FDA access to the records (see pages 11-12).

1. Section605 – Adverse Event Reports. The draft guidance clarifies what records a responsible person must make available to FDA in case of an adverse event. For example, FDA may access and copy communications between the company and the complainant, and records of the company's assessment of the event as serious or non-serious.

For SAE reports, FDA may also access and copy:

  • The responsible person's report to FDA, with attachments; and
  • Any new and material medical information and related reports to FDA.

2. Section610 – SAHCOD. FDA illustrates what types of documents it may access and copy during a Section 610 inspection, regardless of the records' location, after the presentation of appropriate credentials and written notice to the responsible person or manufacturing/processing facility:

  • Manufacturing and processing records;
  • Packing, distribution, receipt, and importation records;
  • Raw materials (ingredients and packaging) receipt records;
  • Product distribution records and customer distribution lists;
  • Product inventory records;
  • Raw ingredient and finished product analytical results;
  • Safety substantiation records; and
  • Consumer complaints, adverse event reports, and product recall records. (These situations are identified in the draft guidance as the ones "most likely" to trigger an FDA request to access and copy records.)

FDA also restates the statute's list of documents that the Agency may NOT access:

  • Recipes or formulas for cosmetic products;
  • Personnel data;
  • Financial, pricing, and sales data (other than shipment records); and
  • Research data (other than safety substantiation data).

Separately, FDA describes instances under which a cosmetic product may be deemed adulterated and may cause SAHCOD, including microbial contamination, chemical hazards, and impurities (for example), and describes real-world scenarios such as:

  • Alcohol-free mouthwash contaminated with the bacteria Burkholderia cepacia, presenting risk to oral and systemic infection;
  • Skin care products contaminated with Staphylococcus aureus or other harmful bacteria, which may lead to skin infections or systemic illness; and
  • Cosmetic products with unsafe levels of heavy metals (e.g., lead, cadmium), which can be harmful to babies and young children.

Because conditions leading to adulteration often extend beyond a single batch or product, records related to other products "likely to be affected in a similar manner" can be accessed, including those with: shared manufacturing conditions, equipment, ingredients, or packaging; cross-contamination potential (e.g., due to close proximity); systemic process deficiencies; or supplier-related risks.

3. Confidentialityand Refusal. FDA confirms that it will maintain the confidentiality of any protected information contained in the records that it obtains. FDA will follow applicable laws that protect personal privacy information, confidential commercial information, and trade secrets. FDA states that, for both foreign and domestic firms, its personnel will comply with all applicable protections, procedures, and legal requirements against the unauthorized disclosure of non-public information.

Should a company refuse to permit FDA access to the above-described records, FDA can initiate enforcement actions such as a civil injunction action in federal court, a criminal prosecution, or a refusal to admit a cosmetic product being imported into the U.S. (under Sections 302, 303, and 801(a) of the FD&C Act).

Key Takeaways

For Cosmetic Contract Manufacturers and Manufacturing Facilities: Prepare for FDA facility inspections, which will include records access requests. Ensure that your adverse event/SAE files are in order and segregated by product and responsible person. Train your team on the meanings of "adulteration" and SAHCOD, in case FDA asserts authority over a wider range of records, including safety substantiation files.

For Ingredient Suppliers: Prepare for records access requests from your cosmetic manufacturer customers, which may include safety substantiation data, and which should be segregated by ingredient and responsible person for easy location and copying.

For Own-Label Distributors: Ensure that your third-party agreements and internal procedures cover the collection, maintenance, storage, retrieval, and confidentiality of, and response times for, the numerous records that are subject to FDA jurisdiction.

For Third-Party Compliance Vendors: Although your adverse event collection and investigation activities may be authorized and directed by responsible persons, the records under your control are subject to FDA inspection and access requests. Clearly identifying each record by the relevant product and responsible person will be key, as will be segregating them by categories of adverse events, SAEs, and non-regulated complaints (i.e., those that are not health-related). You should also prepare for responding immediately to urgent requests from your customers who are responsible persons, since they will have limited timelines for responding to FDA requests for records.

For All Responsible Persons:

  • Use professionalism and care when conducting product complaint investigations and corresponding with customers. Do not make suggestions or embellish what the customer may have experienced, and do not downplay their experience. Avoid guesswork and hyperbole. Follow a written company procedure when categorizing a communication as an adverse event, an SAE, or a non-reportable complaint.
  • Clearly mark all information that is considered to be trade secret, confidential, personal privacy, or personal identification information with labels as such. Institute a company policy stating that all copies of records must retain those same markings.
  • Separate and label any data and information that you believe should not be accessed by FDA, in accordance with law. Train employees who may be involved with FDA inspections on the differences between accessible and inaccessible records.

With these strategies in mind, all MoCRA stakeholders will be well-equipped to handle any FDA records access requests related to cosmetic products.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Ann M. Begley
Ann M. Begley
Photo of Rebecca L. Dandeker
Rebecca L. Dandeker
Photo of Edith Nagy
Edith Nagy
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More