Let me be blunt with you.
If you run a business in California and you do not have a written Workplace Violence Prevention Plan sitting in your files right now — fully compliant, fully trained on, fully documented — you are exposed. Not theoretically exposed. Not "we should probably get to that" exposed. Exposed the way a guy standing in the rain without an umbrella is exposed. Wet. Cold. And about to get a whole lot more uncomfortable when Cal/OSHA shows up.
SB 553 is not a suggestion. It is not a guideline. It is California law, and the compliance deadline already passed on July 1, 2024. Every day you operate without a compliant Workplace Violence Prevention Plan (WVPP) is a day you are volunteering for citations, penalties, and liability that could gut your business.
Here is everything you need to know — and everything you need to do about it.
---
1. What Is SB 553?
Senate Bill 553, signed by Governor Newsom on September 30, 2023, added Section 6401.9 to the California Labor Code. It is the most sweeping workplace violence prevention mandate in the United States.
The law requires virtually every employer in California to establish, implement, and maintain a written Workplace Violence Prevention Plan. Not a pamphlet. Not a poster in the breakroom. A written plan with specific required elements, backed by documented training, supported by a violent incident log, and subject to annual review.
This is not California being California. This is California responding to a documented surge in workplace violence incidents — assaults, threats, active shooters, domestic violence spilling into the workplace — and deciding that employers bear the responsibility of having a plan before something happens, not after.
The statute codifies requirements that previously existed only in fragmented form across various Cal/OSHA standards. Now there is one law. One standard. One set of requirements. And one very clear message: comply or pay.
---
2. Who Must Comply
The short answer: you.
If you employ anyone in California, SB 553 almost certainly applies to you. The law covers all employers and all places of employment, with a narrow set of exceptions that most businesses will not qualify for.
The Exceptions
Labor Code Section 6401.9(b) carves out the following:
- **Remote workers** — Employees working from a location of their own choosing that is not under the control or direction of the employer. Your employee working from their kitchen table is not covered. Your employee working from a company-controlled satellite office is.
- **Healthcare facilities** — Employers already covered under 8 CCR Section 3342, California's existing workplace violence prevention standard for healthcare. If you are a hospital, skilled nursing facility, or other covered healthcare entity already operating under the healthcare-specific standard, you are exempt from SB 553's general requirements. You are not exempt from having a plan — you are exempt from this particular plan because you already have a more specific one.
- **Law enforcement agencies** — As defined under Penal Code Sections 830 et seq.
- **Department of Corrections and Rehabilitation** — Facilities and employees of CDCR.
- **Employers with fewer than 10 employees** at any given time who are not accessible to the public. Read that twice. Both conditions must be met. If you have 8 employees and customers walk through your door, you are covered.
Everyone else? You need a WVPP. Period.
That includes offices, retail stores, warehouses, restaurants, construction sites, property management companies, auto shops, dental practices, law firms, staffing agencies, and every other business type operating within the borders of this state.
---
3. The Four Types of Workplace Violence
SB 553 and Cal/OSHA recognize four distinct types of workplace violence. Your WVPP must address all four. Understanding them is not academic — it determines how you structure your hazard identification, your training, and your response protocols.
Type 1: Criminal Intent
The perpetrator has no legitimate relationship with the business or employees. This is the robbery, the break-in, the stranger who walks through the door with bad intentions. Retail, hospitality, and businesses that handle cash are highest risk.
Type 2: Customer/Client
The perpetrator is a customer, client, patient, student, or other person receiving services from the business. Healthcare workers, social services, educators, and anyone in a public-facing role faces elevated Type 2 risk. This is the most common type of workplace violence in California.
Type 3: Worker-on-Worker
The perpetrator is a current or former employee, supervisor, or manager. Bullying, harassment, intimidation, and physical altercations between coworkers. This is the one most employers do not want to think about and therefore do not plan for.
Type 4: Personal Relationship
The perpetrator has a personal relationship with an employee — spouse, partner, family member, friend — and the violence occurs in the workplace. Domestic violence does not stay at home. It follows people to work. Your plan must account for that reality.
Your WVPP must address hazard identification, prevention measures, and response procedures for all four types. A plan that only addresses armed robbery and ignores a stalking ex-partner showing up in the parking lot is an incomplete plan. And an incomplete plan is a citation waiting to happen.
---
4. Required WVPP Elements
Labor Code Section 6401.9(c) spells out what your written Workplace Violence Prevention Plan must include. There is no ambiguity here. These are not recommendations. They are requirements.
A. Responsible Persons
Your plan must name the person or persons responsible for implementing and maintaining the WVPP. Names and titles. Not "management" or "HR." Actual human beings with actual accountability.
B. Employee Involvement
Employees must be involved in the development, implementation, and review of your WVPP. This is not a checkbox exercise. Cal/OSHA expects documented evidence that employees had meaningful input — through safety committees, surveys, feedback sessions, or other participatory mechanisms.
C. Multi-Employer Coordination
If your workplace has employees from multiple employers — think staffing agencies, subcontractors, or shared facilities — your plan must address coordination between all employers at the site. You cannot create a plan that only covers your people while ignoring the temp workers standing right next to them.
D. Hazard Identification and Evaluation
This is the backbone of your WVPP. You must identify and evaluate workplace violence hazards specific to your workplace. Not generic hazards copied from a template. Your hazards. Your facility. Your industry. Your specific risk factors.
This includes:
- Physical environment (lighting, layout, access points, isolated areas)
- Staffing patterns (working alone, late-night shifts)
- History of violence at the location
- Type-specific risk factors for all four violence types
- Input from employees who actually work in the environment
E. Hazard Correction
Identifying hazards is only half the job. Your plan must include procedures for correcting identified hazards in a timely manner. If your hazard assessment reveals that the back parking lot has no lighting and employees walk to their cars at midnight, your plan must address how and when you will fix that.
F. Reporting Procedures
Employees must have clear, accessible procedures for reporting workplace violence incidents, threats, and concerns — without fear of retaliation. The plan must explain how to report, to whom, and what happens after a report is made. If your employees do not know how to report a threat, your plan has failed before it was ever tested.
G. Emergency Response
Your plan must include procedures for responding to actual workplace violence emergencies. This includes evacuation procedures, shelter-in-place protocols, communication systems, and coordination with law enforcement. Every employee must know what to do when the situation goes from "concerning" to "active."
H. Post-Incident Response
After a workplace violence incident, your plan must include procedures for providing services to affected employees — debriefing, counseling referrals, medical care, and follow-up. The incident does not end when the police leave. It ends when your people are taken care of.
I. Training
Your plan must include a training program that covers the WVPP itself and equips employees to recognize hazards, use reporting procedures, and execute emergency protocols. More on training requirements in Section 6 below.
J. Plan Review
The WVPP must be reviewed at least annually, and additionally after any workplace violence incident. A plan that was written in 2024 and never touched again is a stale plan, and Cal/OSHA does not accept stale plans.
---
5. The Violent Incident Log
This is the requirement that catches most employers off guard.
Under Labor Code Section 6401.9(d), every employer must maintain a Violent Incident Log that records every workplace violence incident. This is separate from your OSHA 300 log. This is a standalone document with its own requirements.
Required Fields
Each log entry must include:
- Date, time, and location of the incident
- Detailed description of the incident
- Classification by workplace violence type (1-4)
- Circumstances at the time of the incident (staffing, physical environment)
- The incident's consequences (injuries, property damage, psychological impact)
- Actions taken by the employer in response
- Information about the perpetrator (to the extent known), using general descriptions rather than names to protect privacy
PII Protection
The log must be maintained in a way that protects the personally identifiable information of the victims. You must balance documentation thoroughness with privacy. This means general descriptions of individuals, not names. Incident details without identifying the victim to anyone reviewing the log who does not need to know.
Retention
Five years. You must retain your Violent Incident Log for a minimum of five years. Not from the date of the last entry — five years from the date of each individual incident. And the log must be made available to Cal/OSHA, employees, and authorized employee representatives upon request.
If you have no log, or your log is incomplete, that is a standalone citable violation independent of any other WVPP deficiency.
---
6. Training Requirements
Training is where most employers either get it right or expose themselves completely. SB 553 does not accept a one-and-done approach.
Initial Training
All employees must receive training on your WVPP when the plan is first established, and all new employees must be trained when they are hired. The training must cover:
- The employer's WVPP and how to access it
- How to report workplace violence incidents, threats, and concerns
- Workplace violence hazards specific to the employees' jobs and the workplace
- How to avoid and respond to workplace violence incidents
- The violent incident log and employees' right to access it
- The opportunity for interactive questions and answers with a person knowledgeable about the plan
That last point matters. You cannot just hand someone a binder and call it training. There must be an interactive component where employees can ask questions and get competent answers.
Annual Refresher Training
Every employee must receive refresher training at least once per year. Not "when we get around to it." Not "every other year." Annually.
Additional Training Triggers
Additional training is required when:
- A new or previously unrecognized workplace violence hazard is identified
- Changes are made to the WVPP
- A workplace violence incident occurs
- Employee deficiencies in knowledge or response are identified through drills or incidents
Documentation
All training must be documented. Records must include the dates of training, the content covered, the names and qualifications of trainers, and the names and job titles of all attendees. Retain these records for at least one year (per general Cal/OSHA training documentation requirements), though best practice — and what Protekon recommends — is to retain them for five years to match your Violent Incident Log retention.
Bilingual and Accessible Delivery
Training must be provided in a language and manner that employees understand. If 40% of your workforce speaks Spanish as their primary language, training in English alone is deficient. If you have employees with literacy challenges, your training must account for that. Cal/OSHA does not care about your convenience. They care about comprehension.
---
7. Enforcement and Penalties
Here is where the conversation gets expensive.
Cal/OSHA enforces SB 553 through its existing inspection and citation framework under Labor Code Division 5 and Title 8 of the California Code of Regulations. Inspections can be triggered by employee complaints, reported incidents, or programmed (random) inspections.
Penalty Structure
| Violation Type | Maximum Penalty Per Violation |
|---|---|
| General (non-serious) | $18,000 |
| Serious | $25,000 |
| Willful or repeat | $180,000 |
These are per-violation penalties. One inspection can produce multiple citations across multiple elements of your WVPP. No plan at all? That is not one violation — that is a violation for every required element you are missing.
Repeat Violations
If you have been cited before and Cal/OSHA finds the same deficiency on a subsequent inspection, penalties escalate. Repeat violations carry enhanced penalties and dramatically increase the likelihood of being classified as "willful" — meaning you knew the requirement existed and chose not to comply.
Beyond Cal/OSHA
Citations are just the regulatory cost. The real financial exposure is civil liability. If an employee is harmed by workplace violence and you had no compliant WVPP — no hazard assessment, no training, no reporting procedure — a plaintiff's attorney will use that regulatory failure as evidence of negligence. SB 553 compliance is not just about avoiding Cal/OSHA penalties. It is about not handing a trial lawyer the keys to your bank account.
---
8. Step-by-Step Implementation
Stop overthinking this. Here are the nine steps, in order.
Step 1: Assign Responsibility
Name the person or persons who will own the WVPP. This is typically an HR director, safety manager, or operations lead. Small businesses: it is you. Write the names down. Put them in the plan.
Step 2: Form an Employee Participation Mechanism
Create a safety committee, distribute a survey, or schedule structured feedback sessions. Document how employees were involved. Keep the records.
Step 3: Conduct a Workplace Violence Hazard Assessment
Walk every inch of your facility. Review all four violence types against your specific operations. Interview employees. Identify physical vulnerabilities (poor lighting, isolated areas, uncontrolled access points). Identify operational vulnerabilities (cash handling, late-night shifts, difficult clients). Document everything.
Step 4: Develop Hazard Correction Procedures
For every hazard identified in Step 3, write down what you will do about it. Timelines. Responsible persons. Interim protective measures while permanent corrections are being implemented.
Step 5: Establish Reporting Procedures
Create clear, simple, accessible reporting channels. Multiple channels — verbal, written, anonymous if possible. Make sure every employee knows exactly how to report a threat, a concern, or an incident. Document the procedures in the written plan.
Step 6: Create Emergency Response Protocols
Develop response procedures for active violence events. Include evacuation routes, shelter-in-place locations, communication methods, and law enforcement coordination. These must be specific to your facility, not generic templates.
Step 7: Build Your Post-Incident Response Plan
Document how you will respond after an incident. Employee assistance programs, counseling referrals, medical care coordination, operational debriefs, and plan review triggers. The hours and days after an incident are when your plan proves its worth.
Step 8: Develop and Deliver Training
Build a training program that covers every element above. Deliver it to all current employees. Schedule it for all new hires. Calendar your annual refresher. Document everything — dates, content, trainers, attendees. Deliver in all languages your workforce requires.
Step 9: Set Up the Violent Incident Log and Review Calendar
Create your log template with all required fields. Establish who maintains it and where it is stored. Calendar your annual plan review. Calendar additional review triggers (post-incident, hazard changes, regulatory updates).
Do these nine steps in order, document every one, and you have a defensible, compliant WVPP.
---
9. Common Mistakes That Trigger Citations
I have seen the same failures over and over. Save yourself the pain.
**Using a generic template without customization.** Cal/OSHA inspectors can spot a downloaded template from the first paragraph. Your plan must reflect your specific workplace, your specific hazards, and your specific operations. A template is a starting point, not a finished product.
**No evidence of employee involvement.** The law requires it. If you cannot produce documentation showing employees were involved in developing the plan, you are citable. Meeting minutes, survey results, committee rosters — something must exist.
**Training without documentation.** If you trained your employees but cannot prove it, you did not train your employees. Signed attendance rosters, training content records, and trainer qualifications must be on file.
**English-only training for a multilingual workforce.** This is one of the fastest ways to earn a citation. If your employees do not understand the training, the training did not happen.
**Incomplete or missing Violent Incident Log.** Many employers do not know about the log requirement until the inspector asks for it. By then, it is too late. The log must be current, complete, and maintained as a standalone document.
**No annual review.** Your plan must be reviewed at least annually. If the document date is two years old and there is no record of review, you are out of compliance.
**Failing to address all four violence types.** Plans that only cover Type 1 (criminal intent) and ignore Types 2-4 are incomplete plans. Cal/OSHA will cite the gap.
**No post-incident response procedures.** Many plans cover prevention and emergency response but stop there. The law requires post-incident procedures. If they are missing, you are missing a required element.
---
10. The Permanent Standard: OSHSB Rulemaking
SB 553 directed the Occupational Safety and Health Standards Board (OSHSB) to consider adopting a permanent workplace violence prevention standard through its formal rulemaking process. This means that the requirements you see today under Labor Code 6401.9 are the floor, not the ceiling.
The permanent standard, once adopted through 8 CCR rulemaking, is expected to add specificity and potentially expand requirements beyond what the statute currently mandates. Areas likely to be addressed include more detailed hazard assessment methodologies, specific engineering and administrative controls, record-keeping enhancements, and industry-specific provisions for high-risk sectors.
What this means for you: even if you are fully compliant with SB 553 today, the regulatory landscape is moving. The permanent standard will require plan updates, possible retraining, and ongoing monitoring of regulatory developments. Businesses that treat compliance as a one-time project will find themselves out of compliance when the permanent standard drops.
---
11. What Protekon Delivers
You have two options.
**Option A:** You figure all of this out yourself. You read the statute. You interpret the regulatory guidance. You build the plan. You create the training. You set up the log. You conduct the hazard assessment. You calendar the reviews. You monitor the rulemaking. You do all of this while also running your actual business.
**Option B:** You hand it to Protekon.
Protekon is managed compliance-as-a-service. We do not sell you a template and wish you luck. We build your WVPP from the ground up — customized to your workplace, your industry, your workforce, and your specific risk profile. We deliver training in the languages your employees speak. We set up and maintain your Violent Incident Log. We calendar and conduct your annual reviews. We monitor the OSHSB rulemaking process and update your plan when the permanent standard is adopted.
This is not consulting. This is not a binder. This is ongoing, managed compliance — the same way you have managed IT or managed payroll. You pay a predictable monthly fee, and workplace violence prevention compliance is handled. Completely. Permanently. Defensibly.
Here is what that includes:
- **Custom WVPP Development** — Built for your specific workplace, not adapted from a template
- **Hazard Assessment** — On-site evaluation covering all four violence types
- **Employee Training** — Initial and annual refresher, bilingual delivery, fully documented
- **Violent Incident Log Setup and Maintenance** — Compliant from day one
- **Annual Plan Review** — Calendared, conducted, and documented
- **Regulatory Monitoring** — Permanent standard tracking and proactive plan updates
- **Inspection Support** — If Cal/OSHA shows up, we are your compliance backbone
Every day without a compliant WVPP is a day you are betting that Cal/OSHA will not knock on your door, that no incident will occur, and that no plaintiff's attorney will ask the question: "Did the employer have a plan?"
Stop betting. Start complying.
**[Get your free compliance assessment from Protekon →](https://protekon.com/assessment)**
