Skip to main content

The Modernization of Cosmetics Regulation Act of 2022 (MoCRA) brought major changes to cosmetics regulation. Among other changes, it aligned cosmetics adverse-event record-keeping and reporting with over-the-counter drug requirements. Under MoCRA, cosmetics manufacturers, distributors, and packers must report consumer claims of “serious adverse events” to the U.S. Food and Drug Administration (FDA). Qualifying events include death, life-threatening conditions, inpatient hospitalization, persistent or significant disability or incapacity, congenital anomaly or birth defect, infection, and significant disfigurement. MoCRA also requires cosmetics manufacturers, distributors, and packers to keep records of any “adverse event,” meaning any negative health-related event, for at least six years. As the MoCRA requirements came into effect prior to most of the state privacy laws being enacted, cosmetic companies should be mindful of compliance with the applicable state data privacy laws in collecting data necessary to comply with MoCRA.

State Data Privacy Laws

Information collected to comply with MoCRA may include sensitive data, such as a customer’s name or other identifier; sex; date of birth; preexisting medical conditions, including smoking and drug or alcohol use; and the reported adverse health event. Collecting this information may implicate state privacy laws, even if a third-party vendor assists with collection. The California Consumer Privacy Act (CCPA), Washington’s My Health My Data Act (MHMDA), and other state privacy laws may contain exceptions or exemptions relevant to information collected or retained to comply with legal obligations, including MoCRA adverse-event reporting and recordkeeping. However, those provisions are statute-specific and do not necessarily place all such data outside the scope of applicable privacy law. Cosmetics companies should therefore assess applicable state law requirements carefully, regardless of whether they collect the data themselves or through a third-party vendor. For example, some state comprehensive privacy laws require organizations to clearly disclose their data collection, use, retention, and sharing practices; limit processing to what is reasonably necessary and proportionate to disclosed purposes; and provide individuals with rights to access, delete, and correct their personal information. Some laws also require consent for specified processing activities involving sensitive data or consumer health data. Contracts with third parties that collect or otherwise process adverse event or other personal information should also include appropriate privacy and data processing terms.

MHMDA covers consumer health data, broadly defined as data linked to a consumer that identifies the consumer’s physical or mental health status. This may include skin conditions and adverse-event information suggesting an underlying health condition. When applicable, MHMDA requires explicit consent before collecting or sharing consumer health data; a separate privacy notice describing what data is collected, how it is used, and with whom it is shared; and compliance with additional restrictions on the sale or sharing of that data. States beyond California and Washington also have privacy laws that may impose notice, consumer rights, data-minimization, and contracting obligations in connection with the collection and processing of personal information, and some laws require consent for specified categories of sensitive data or processing activities.

Data minimization is also critical if a cosmetics company shares information collected to comply with MoCRA with a third party, such as a vendor. Cosmetics companies should assess whether information processing in connection with MoCRA compliance (including information disclosed to a third party) is strictly necessary or whether they are able to provide less data — for example, by hashing or removing certain personal identifiers.

Certain state laws may impose additional requirements when cosmetics companies share consumers’ personal data collected for MoCRA compliance purposes with a parent company or other affiliated entity, including for the data to be maintained by the parent company. As a general matter, comprehensive privacy laws such as CCPA permit data sharing between affiliated entities that share common branding. Even so, companies should confirm that any use of the data by the parent or affiliate company is consistent with the disclosures in applicable privacy notices.

Although MoCRA’s adverse-event reporting and recordkeeping obligations are mandatory, complying with those requirements does not eliminate the need to assess how adverse-event data is collected, used, retained, and shared under applicable privacy laws. Cosmetics companies should therefore review their intake processes, privacy disclosures, vendor and affiliate arrangements, and data minimization practices to help ensure that information collected for MoCRA compliance is handled in a manner that is both compliant and proportionate to the purpose for which it is collected.