SB 553: California's Workplace Violence Prevention Law Explained

California Senate Bill 553 took effect July 1, 2024. It established some of the most comprehensive workplace violence prevention requirements in the United States. Nearly every employer with California employees must now maintain a Workplace Violence Prevention Plan (WVPP), provide annual employee training, and keep a detailed violent incident log. California employers need to understand what SB 553 requires and what it means in practice.

Who SB 553 Applies To

SB 553 applies to nearly all California employers. Limited exceptions exist for:

• Certain healthcare facilities, which are covered by the more specific California Department of Public Health healthcare workplace violence standards
• Employees who work remotely from a location of their own choosing
• A small number of other specific categories

If your organization has employees who work in a California facility, SB 553 applies to those employees and that workplace. This holds true regardless of where the company is headquartered.

What SB 553 Requires

Workplace Violence Prevention Plan (WVPP). Employers must develop and maintain a written WVPP specific to the workplace. The plan must include:

• The names or job titles of the people responsible for implementing the plan
• Effective procedures for involving employees in developing and reviewing the plan
• Methods the employer will use to coordinate implementation with other employers at shared worksites
• Procedures for accepting and responding to reports of workplace violence
• Procedures for prohibiting employee retaliation for reporting workplace violence
• Procedures for ensuring that supervisors and employees comply with the plan
• Procedures for communicating with employees regarding workplace violence matters
• Procedures for responding to workplace violence emergencies
• Procedures for employee training
• Procedures for post-incident response and investigation
• Procedures for reviewing and revising the plan after a violent incident

The WVPP must be site-specific. A generic corporate template does not meet the requirement if it fails to reflect the actual conditions and risks at the specific workplace.

Violent Incident Log. Employers must record every incident of workplace violence in a log. Each entry must capture:

• The date, time, location, and description of the incident
• The classification of the perpetrator (Type I, II, III, or IV)
• The circumstances of the incident
• The consequences
• Information about what was done in response

The log must be kept for a minimum of five years.

Employee Training. Employers must provide training on the WVPP when the plan is first adopted, annually after that, and whenever the plan is updated. Training must be interactive, meaning employees must have the chance to ask questions. It must cover the content of the WVPP, how to report workplace violence and threats, and how to respond to emergencies.

What SB 553 Does Not Cover

SB 553 sets procedural requirements but does not prescribe specific security measures beyond the planning and training framework. It does not require employers to hire security officers, install specific surveillance systems, or implement particular access control measures. What it requires is a documented plan, employee training on it, and a record of incidents.

The practical implication: SB 553 compliance is a floor, not a ceiling. An employer who has a WVPP, provides training, and keeps an incident log has met the letter of the law. Whether those measures actually address the workplace violence risks the organization faces is a separate question.

Understanding the Four Types of Workplace Violence

SB 553 and the violent incident log rely on a four-part typology. Employers need to understand it to classify incidents correctly and design responses that match the actual risk:

• Type I: Violence committed by someone with no legitimate relationship to the business, typically in the course of a crime such as robbery.
• Type II: Violence by a customer, client, patient, student, or other person the business serves.
• Type III: Violence between coworkers, including current and former employees.
• Type IV: Violence by someone who has a personal relationship with an employee but no connection to the workplace itself, such as a domestic partner who confronts the employee on the job.

These categories matter because the controls that reduce each type of risk differ. A retail employer concerned about Type I incidents will focus on cash handling procedures, lighting, and opening and closing protocols. An employer with a customer-facing service operation will focus on de-escalation training, duress alerting, and documentation of prior problem encounters. An employer with internal personnel conflicts will focus on reporting channels, investigation capability, and threat assessment. A WVPP that treats all four types identically almost always misses the risks actually present at the worksite.

Practical Steps to Build a Defensible WVPP

Most employers we work with start by gathering the documents and policies they already have. These often include an IIPP, a code of conduct, an anti-harassment policy, and emergency action procedures. They feed into the WVPP but do not replace it. The next step is a walk-through of the actual worksite with the people who work there. The hazards that matter are often invisible from an office: a loading dock with no line of sight to the parking lot, a reception desk with no barrier, a shared lobby with a tenant whose clientele has a history of disruptive behavior, or a night shift with only two employees on site.

Employee involvement is not a formality. The statute requires it, and Cal/OSHA inspectors ask about it. In practice, this means documenting how employees contributed input. That can be through a safety committee, a survey, a series of meetings, or some combination, with records kept of the process. When our security consulting team develops a WVPP for a California client, we build the employee input process into the engagement so the documentation exists from day one.

The reporting procedure deserves particular attention. A WVPP that tells employees to report concerns to their supervisor fails in exactly the circumstances that matter most: when the supervisor is the problem, when the concern involves a peer the supervisor is protecting, or when the employee fears retaliation. A mature reporting procedure offers multiple channels, including at least one that bypasses the immediate chain of command. It is paired with a written anti-retaliation commitment that employees have seen in training.

Coordinating WVPP Compliance with Investigations and Threat Assessment

SB 553 requires procedures for post-incident response and investigation. It does not tell employers how to actually conduct an investigation or how to evaluate whether a concerning communication represents a genuine threat. This is where the statute meets real operational capability. When an employee reports that a coworker made a statement that could be interpreted as a threat, or when a customer sends an escalating series of hostile messages, the employer needs to decide quickly what comes next. The options include a formal threat assessment, a workplace investigation, law enforcement involvement, or some combination.

Employers without in-house capability often retain outside professionals for this work. A licensed investigator can conduct witness interviews, preserve digital evidence, and produce a written report that protects the employer if the matter later results in litigation or a Cal/OSHA inquiry. For incidents involving electronic communications, social media activity, or suspected unauthorized access to company systems, digital forensics support is often essential to preserve evidence in a defensible way. Employers investigating concerns about a specific individual frequently need background investigations that go beyond what a standard pre-employment screen provides. This applies whether the subject is an applicant, a current employee, or a person of interest associated with an employee.

Integrating these capabilities into the WVPP before an incident occurs works far better than scrambling to find vendors during a crisis. The plan should identify, by role, who authorizes outside investigation, what the escalation criteria are, and how information flows between HR, legal, security, and executive leadership.

Common Compliance Gaps We See

Several patterns appear repeatedly when we audit existing WVPPs:

• The generic template problem: A national employer adopts a single plan for all California sites, and the plan references hazards, roles, and layouts that do not exist at most of those locations.
• Stale training: The plan was adopted, employees were trained once, and no annual refresher has occurred.
• A weak incident log: The log is either empty, because employees were never told how to report, or inconsistent, because different managers log incidents with different levels of detail.
• A reporting procedure that exists on paper only: It has no actual workflow behind it, so reports accumulate without assessment or response.

Each of these gaps is visible to a Cal/OSHA inspector. Each is the kind of deficiency that turns a routine inspection into a citation. They are also correctable. A site-specific plan refresh, a documented training cycle, a clear log format with assigned ownership, and a real intake workflow address most of what inspectors look for.

The Role of Threat Assessment in SB 553 Compliance

SB 553 requires that the WVPP include procedures for assessing and responding to reported concerns. A threat assessment capability is a natural component of a complete SB 553 implementation. That means the ability to evaluate the seriousness of a reported threat or concerning behavior and respond appropriately.

Organizations that build threat assessment protocols into their WVPP are better positioned to respond effectively when concerns arise. They also show a more robust commitment to prevention than organizations that treat SB 553 as a documentation exercise.

Enforcement

Cal/OSHA is responsible for enforcing SB 553. Employers who fail to develop, implement, or maintain a WVPP are subject to citation and penalty. The violation categories that apply to SB 553 non-compliance can carry significant per-violation penalties. Cal/OSHA is known for proactive enforcement in the workplace safety domain.

Enforcement also intersects with civil liability. An employer that suffers a workplace violence incident and cannot produce a compliant WVPP, training records, and an incident log faces a much harder position in any resulting litigation. An employer that can document a sustained, good-faith prevention program is in a far stronger spot. The paper trail created by SB 553 compliance is protective in two directions: it reduces regulatory exposure, and it provides evidence of reasonable care.

Getting Into Compliance

Developing a compliant WVPP for a specific California workplace requires more than downloading a template. The plan must be site-specific, developed with employee input, and reflect the actual conditions and risk factors at the location. Organizations with multiple California facilities need site-specific plans for each.

Our security consulting team assists California employers with SB 553 compliance: WVPP development, threat assessment program design, and employee training that meets the law's interactive training requirements. Our training team delivers the interactive sessions SB 553 requires. Corporate clients integrate the plan, training, and threat-assessment workflow into a single engagement rather than stitching together separate vendors. Schedule a consultation to discuss your organization's compliance needs.