HireSecurityNow.com
California SB-553 Workplace Violence Prevention: What Employers Must Do (2026)
Licensing & Compliance

California SB-553 Workplace Violence Prevention: What Employers Must Do (2026)

16 min read

HireSecurityNow.com Editorial Team

July 5, 2026 · 16 min read· Fact-checked

In this guide

California SB-553 requires most employers to maintain a Workplace Violence Prevention Plan, incident log, and training. Here's what's required and how security services help you comply.

Quick answer

California's SB-553 (codified at Labor Code section 6401.9, enforceable since July 1, 2024) requires almost every California employer to adopt a written Workplace Violence Prevention Plan (WVPP), keep a violent-incident log, train employees, and identify and correct violence hazards. Cal/OSHA enforces it through the same citation-and-penalty process it uses for the Injury and Illness Prevention Program. For 2026, Cal/OSHA penalties reach $25,000 per serious violation and $162,851 per willful or repeat violation, and simply having no compliant plan is itself citable. SB-553 also expanded workplace-violence restraining orders under Code of Civil Procedure 527.8 (operative Jan 1, 2025). Private security, professional risk assessments, and de-escalation training are practical tools for meeting the hazard-control and response obligations — get quotes from licensed providers to price the coverage your plan calls for.

SB-553 gave California the country's first general-industry (not just healthcare) workplace-violence prevention law. If you operate in California and have employees, you almost certainly have to comply — and "we adopted a template plan" is not the same as meeting the statute. This guide explains what the law actually requires, how Cal/OSHA enforces it, the restraining-order remedy the same bill created, and where security services and assessments fit into a defensible compliance program. It is general information, not legal advice; confirm specifics with employment counsel for your operation.

Key dates: the SB-553 compliance timeline

SB-553 rolled out in stages, and the rules are still tightening. Here is the consolidated timeline a buyer needs on one screen.

DateWhat happened
Sept 30, 2023Governor signs SB-553 (Cortese).
Jan 1, 2024Amendment to Labor Code 6401.7 (the IIPP statute) takes effect, tying workplace-violence obligations into the injury-and-illness framework.
July 1, 2024Labor Code 6401.9 becomes operative and enforceable — written plan, log, training, and hazard correction are now required.
Jan 1, 2025SB-553's amendments to Code of Civil Procedure 527.8 take effect — collective-bargaining reps may petition for workplace-violence restraining orders, employees may opt out of being named, and (via coordinated SB-428) harassment becomes a basis.
Dec 31, 2025Statutory deadline for Cal/OSHA to propose a permanent general-industry standard to the Standards Board.
June 1, 2026Public-comment deadline on Cal/OSHA's revised draft standard (released April 24, 2026).
Dec 31, 2026Statutory deadline for the Standards Board to adopt the permanent standard.

What SB-553 requires and who it covers

Senate Bill 553 (Cortese) was signed September 30, 2023. It amended Labor Code section 6401.7 and added a new section, 6401.9, which became operative and enforceable on July 1, 2024. The core obligations are four: maintain a written Workplace Violence Prevention Plan, record incidents in a violent-incident log, train employees, and identify, evaluate, and correct workplace-violence hazards on an ongoing basis.

Coverage is deliberately broad. The requirement applies to essentially all California employers, employees, workplaces, and employer-provided housing. The statute defines "workplace violence" as any act or threat of violence at a place of employment, including physical force that results in — or has a high likelihood of resulting in — injury, psychological trauma, or stress (whether or not an injury occurs), and any incident involving a firearm or other dangerous weapon, including common objects used as weapons. Lawful acts of self-defense or defense of others are excluded.

There are narrow exemptions. If you fall outside every carve-out below, assume you are covered — and note that each exemption comes with its own condition:

ExemptionCondition attached
TeleworkersOnly where the employee works from a location of their own choosing that is not under the employer's control.
Small worksites (fewer than 10 employees)Applies only when fewer than 10 employees are present at any given time and the site is not open to the public and the employer maintains a compliant Injury and Illness Prevention Program under Title 8, Section 3203. Lose the IIPP and you lose the exemption.
Law enforcement and correctionsCertain law-enforcement agencies and Department of Corrections and Rehabilitation facilities.
Covered healthcareFacilities and operations already subject to Cal/OSHA's Violence Prevention in Health Care standard (Title 8, Section 3342) — they follow that rule instead, not a second 6401.9 plan.
Heads up — the small-employer exemption is narrowing.

Cal/OSHA's April 2026 draft permanent standard would change how the "fewer than 10 employees" headcount is measured — from a point-in-time count to whether you had 10 or fewer employees at the site across the preceding 365 days. Employers with seasonal or fluctuating staffing who rely on this exemption today may lose it under the permanent rule. Comments were open through June 1, 2026; the statute governs until the standard is adopted.

The Workplace Violence Prevention Plan (WVPP)

The heart of the law is a written, worksite-specific plan. It can stand alone or be built into your existing IIPP, but it must be in effect at all times and available to employees. Cal/OSHA published a model plan in March 2024 that you may adopt, but the agency cautions that using the model by itself does not ensure compliance — it is a generic "fill-in-the-blank" template that will not automatically match your worksite, hazards, or existing IIPP, so most employers should tailor it. (You can download the current Model Written Workplace Violence Prevention Plan for General Industry from Cal/OSHA's General Industry page.)

Section 6401.9 requires the plan to include, at minimum:

  • The names or job titles of the people responsible for implementing the plan.
  • Procedures to obtain the active involvement of employees and their authorized representatives in developing and implementing the plan.
  • Methods for coordinating implementation with other employers who share the workplace (relevant to landlords, staffing agencies, and multi-tenant sites).
  • Procedures to ensure supervisory and non-supervisory employees comply with the plan.
  • Procedures to accept and respond to reports of workplace violence and to communicate with employees about workplace-violence matters, including how to report incidents without fear of reprisal or retaliation.
  • Procedures to respond to actual and potential workplace-violence emergencies.
  • Procedures to identify, evaluate, and correct workplace-violence hazards, including scheduled periodic inspections and a post-incident response and investigation process.
  • Procedures to review the plan's effectiveness and revise it as needed.

The plan must be reviewed at least annually, whenever a deficiency becomes apparent, and after any workplace-violence incident. It must be accessible to employees — on the worksite, posted in common areas, or available electronically via an intranet or software platform. The hazard-identification and correction element is where physical security controls live: access control, lighting, panic alarms, camera coverage, guard staffing, and safe-room or lockdown procedures are all "corrective measures" you can document as part of the plan.

Who owns the plan for temp workers, staffing agencies, and shared sites

One of the most common real-world questions — and one 6401.9 answers only in part — is who is responsible when more than one employer touches a worksite. The statute requires your plan to include methods for coordinating implementation with other employers who share the space, but it does not let anyone off the hook. In practice:

  • Temporary and leased workers. Under California's dual-employer doctrine, both the staffing agency and the host/client employer generally share responsibility for a temp's safety. The host controls the physical worksite and its hazards, so it typically owns hazard identification, correction, and site-specific training; the agency shares training and recordkeeping duties. Don't assume the agency's boilerplate plan covers your floor — it rarely reflects your actual hazards.
  • Contract security officers. Your guard vendor is itself an employer with its own 6401.9 obligations, but that does not transfer your plan duties to them. Coordinate: your WVPP should reference the guard scope, and the vendor's incident reporting should feed your log.
  • Multi-tenant and landlord sites. Common areas, parking structures, and shared entrances are frequent Type 1/Type 2 hazard zones. Coordinate lighting, access control, and emergency response with the property manager and neighboring tenants, and document that coordination in your plan.
Buyer tip: If you use a staffing agency, put WVPP responsibilities in the service agreement — who trains, who investigates, who logs the incident, and who corrects the hazard. Ambiguity here is exactly what Cal/OSHA cites after an incident.

The violent-incident log and recordkeeping

Separate from OSHA injury logs, SB-553 requires a dedicated violent-incident log. You must record every workplace-violence incident, including near-misses and threats, based on information from employees who experienced or witnessed the event. For each incident the log must capture:

  • The date, time, and location of the incident.
  • The workplace-violence type — the statute's classification is Type 1 (perpetrator has no legitimate business at the worksite, e.g., a robber), Type 2 (customer, client, patient, student, inmate, or visitor), Type 3 (a present or former employee, supervisor, or manager), and Type 4 (a person with a personal relationship to an employee, e.g., domestic violence spilling into work).
  • A detailed description: physical attack, attack with a weapon, threat, sexual assault, and so on, and whether weapons or objects were involved.
  • The classification of who committed the act (customer, coworker, stranger, etc.) and the circumstances at the time (poor lighting, isolation, low staffing, etc.).
  • The consequences — whether security or law enforcement was contacted and what actions were taken to protect employees from a continuing threat.

Two privacy rules matter: the log must omit personal identifying information, and workplace-violence records must not contain "medical information" as defined by the Civil Code. On retention, the log must be kept for a minimum of five years. So must hazard-identification/correction records and incident-investigation records. Training records must be kept for at least one year — though because the other records run on a five-year cycle, many employers simply retain everything for five years. All of these records must be made available to employees, their authorized representatives, and Cal/OSHA on request, without cost, for examination and copying within 15 calendar days.

Buyer tip: If you contract guards or patrols, require the vendor's incident reports to feed your violent-incident log with the fields above. A vendor whose reporting doesn't map to the Type 1–4 classification and corrective actions creates a compliance gap. Review reporting expectations before you sign — our guide to hiring a security guard company and to security contracts and insurance covers what to put in the scope of work.

Employee training requirements

Employers must provide effective, interactive training tailored to the violence risks employees face in their specific jobs and at their specific location. Training must be delivered when the plan is first established and at least annually thereafter, plus additional training whenever a new or previously unrecognized hazard is identified or the plan changes materially. At minimum, training must cover:

  • The employer's plan, how it works, and how to participate in and get a free copy of it.
  • How to report workplace-violence incidents or threats to the employer or law enforcement without fear of reprisal.
  • Workplace-violence hazards specific to the employees' jobs, and the corrective measures the employer has put in place.
  • The violent-incident log and how to obtain copies of it and other records.
  • An opportunity for interactive questions and answers with a person knowledgeable about the plan.

Training records must document the dates, contents or a summary, the names and qualifications of the trainers, and the names and job titles of attendees. The statutory standard is specific: training has to be interactive, annual, and job- and site-specific. A passive video or a one-size-fits-all module does not meet it.

Where vendors fit (a commercial note, not the legal minimum): Many security firms offer de-escalation and situational-awareness training, which is the most valuable content for high-contact roles (retail, front desk, healthcare, hospitality). This can help satisfy the job-specific portion of your obligation — but only if it is interactive, tailored to your actual jobs and worksite, and documented per Section 6401.9 with the trainer's qualifications and attendee list. A generic, canned de-escalation course purchased off the shelf does not satisfy the standard on its own, and buying it does not relieve you of the annual, plan-specific training duty.

Enforcement, deadlines and penalties (Cal/OSHA)

SB-553 folded workplace-violence obligations into the IIPP framework, so Cal/OSHA enforces it through its standard citation-and-penalty process — inspections, complaint investigations, and citations. There is no separate registration; the operative deadline was simply July 1, 2024, and enforcement has been active since.

Crucially, penalties do not attach only after a reported assault. Failing to have, or failing to actually implement, a compliant WVPP is itself citable — commonly as a general/regulatory violation and, where the exposure is serious, as a serious violation. Recordkeeping failures (no log, incomplete log, records not produced within 15 days) have their own tier. Because each requirement is a separate obligation, Cal/OSHA can cite multiple instances on a single inspection, and each carries its own per-violation penalty. An employer with no plan at all can be cited even if nothing violent has ever happened on site.

2026 Cal/OSHA penalty schedule (figures current as of July 2026): Cal/OSHA's civil penalties track the federal OSHA schedule, which adjusts annually for inflation. For 2026 there was no CPI increase — the Bureau of Labor Statistics could not produce the required October 2025 CPI figure during the federal government shutdown, so the 2025 amounts carry into 2026 unchanged. The current maximums are:

Violation type2026 maximum (per violation)
General / regulatory (incl. posting and recordkeeping — e.g., no plan on file, no log)$16,285
Serious (realistic possibility of death or serious harm)$25,000 (fixed California statutory cap; does not track CPI)
Willful or repeat$162,851 maximum; $11,632 minimum for willful

Penalties are not applied at the maximum automatically — Cal/OSHA sets a base within the category and adjusts for gravity, employer size, good faith, and history — but because a missing or unimplemented plan can be cited as several separate violations, real-world exposure adds up fast. The compliance takeaway is blunt: adopt a tailored plan, actually implement it, document every incident, correct hazards promptly, and keep records producible within 15 days.

Workplace-violence restraining orders (Code of Civil Procedure 527.8)

The other half of SB-553 — right in the bill's title, "restraining orders and workplace violence prevention plan" — is an employer remedy most compliance guides skip. If a threatening ex-employee, hostile customer, or stalker is targeting your staff, you don't have to wait for them to act. Under Code of Civil Procedure 527.8, an employer whose employee has suffered unlawful violence or a credible threat of violence that can reasonably be construed to be carried out at the workplace may petition for a temporary restraining order and an order after hearing, on behalf of that employee and other employees at the workplace. SB-553 amended this statute effective January 1, 2025. Key changes:

  • Who can petition. As of January 1, 2025, in addition to the employer, a collective-bargaining representative of the affected employee may seek the order on the employee's behalf and on behalf of other employees at the workplace.
  • Employee opt-out. Before filing, the employer or union rep must give the affected employee an opportunity to decline to be named in the TRO. If the employee opts out, that does not block the employer from still seeking an order to protect other employees — and, where appropriate, employees at other worksites.
  • Harassment as a basis. Through coordinated Senate Bill 428 (also operative January 1, 2025), the grounds expanded beyond violence and credible threats to include harassment — a knowing and willful course of conduct directed at a specific person that seriously alarms or annoys them, serves no legitimate purpose, and causes substantial emotional distress.

Note the limit: 527.8 is an employer (or union) tool. An individual employee still cannot file a workplace-violence restraining order on their own behalf under this statute; a targeted worker who wants to act personally would use the separate civil-harassment process (CCP 527.6). For businesses, though, 527.8 is a fast, concrete way to put a court order between a dangerous individual and your people — pair it with the physical controls your WVPP already documents.

The forthcoming permanent Cal/OSHA standard (2026 status)

Right now, employers comply directly with the statute (6401.9). A permanent regulatory standard is still in rulemaking, and it is close. Cal/OSHA released a revised discussion draft on April 24, 2026 (a substantial rewrite of the earlier May 2025 draft), and the Standards Board accepted public comments through June 1, 2026. A final vote is expected in late summer 2026, with an anticipated implementation date of January 1, 2027; the statutory backstop requires adoption no later than December 31, 2026.

For buyers setting multi-year security budgets, the direction of travel matters: the draft would expand scope to employer-provided transportation (company shuttles and fleet vehicles), narrow the small-employer exemption (365-day headcount test), require remote-training questions to be answered within one business day, and remove stalking from the definition of "workplace violence" while keeping it as an example hazard. The rules can tighten before your next renewal — build flexibility into contracts now.

Minimum viable WVPP: a compliance checklist

If you want a fast self-assessment, this is the shortest defensible path. If you can't check every box, you have a gap Cal/OSHA can cite.

Am I compliant? Quick checklist
  • ☐ A written, worksite-specific WVPP is in effect and accessible to employees (standalone or inside your IIPP) — not just the unedited Cal/OSHA template.
  • ☐ Named person(s) responsible for implementation.
  • ☐ Procedures for employee involvement, reporting without retaliation, emergency response, and coordination with other employers on shared sites.
  • ☐ A hazard identification, evaluation, and correction process, with periodic inspections and post-incident investigation.
  • ☐ A violent-incident log capturing Type 1–4 classification, circumstances, and consequences (no personal identifiers, no medical information).
  • Interactive, job-specific training delivered at rollout and annually, with dates, content, trainer qualifications, and attendees documented.
  • ☐ Records retained ≥5 years (training ≥1 year) and producible to employees/Cal/OSHA within 15 days.
  • ☐ Plan reviewed at least annually, after any incident, and whenever a deficiency appears.
  • ☐ You know your CCP 527.8 restraining-order option for specific threats.

Verify against the primary sources rather than a summary: the statute itself (SB-553 / Labor Code 6401.9 bill text), Cal/OSHA's General Industry Workplace Violence Prevention page and its downloadable model plan, and Cal/OSHA's main workplace-violence resource page for rulemaking updates.

Where outside security help fits your compliance program

SB-553's hazard-identification-and-correction requirement is where outside security expertise earns its keep. A professional security risk assessment maps your Type 1–4 exposure — cash handling, public access, isolated workers, parking-lot lighting, entry control — and produces documented findings and recommended corrections, which is exactly the record Cal/OSHA looks for. That assessment becomes the backbone of the hazard section of your written plan, and the physical controls it recommends become the "corrective measures" you log: on-site security guards to deter Type 1 and Type 2 violence, mobile patrol and video surveillance for after-hours coverage and stronger incident investigations, and de-escalation training for high-contact roles.

Sector context shapes the controls. Retail — organized retail crime, robberies, customer aggression — was a major driver of the law and carries some of the clearest hazard-correction duties (cash-drop procedures, panic alarms, camera coverage, trained staff); see retail loss-prevention security. Healthcare sits in a different lane: hospitals already covered by the Title 8 Section 3342 standard are exempt from a second 6401.9 plan, but face the highest Type 2 patient/visitor risk of any sector. Multifamily housing and hospitality fall squarely under 6401.9 and benefit from the same assess-then-control approach.

These are recurring costs, so budget for them. Use our security cost calculator to estimate staffing around your hours of exposure, then verify any provider's license before you sign and request scope-matched quotes from vetted security companies.

Frequently asked questions

Does adopting Cal/OSHA's model WVPP template satisfy the law?+
No. Cal/OSHA's model plan is a generic fill-in-the-blank template and the agency itself warns that using it as-is does not ensure compliance. Section 6401.9 requires a worksite-specific plan that reflects your actual hazards, responsible personnel, reporting and emergency procedures, and coordination with any other employers who share your site. Adopt the template only as a starting point, then tailor it — an unedited template is a common citation.
Are remote and hybrid employees covered by SB-553?+
Employees who telework from a location of their own choosing that is not under the employer's control are generally exempt from the WVPP requirement. Hybrid workers are covered while at the employer's worksite. Note that Cal/OSHA's 2026 draft permanent standard would extend coverage to employer-provided transportation (company shuttles and fleet vehicles), so remote-adjacent settings you control can still be in scope.
What happens if I don't have a Workplace Violence Prevention Plan?+
A missing, generic, or unimplemented plan is itself citable by Cal/OSHA — you do not need a reported assault for penalties to attach. It is commonly cited as a general/regulatory violation (2026 maximum $16,285 per violation) or, where exposure is serious, as a serious violation (up to $25,000). Recordkeeping failures carry their own tier, and Cal/OSHA can cite multiple separate instances on one inspection. Willful or repeat violations reach $162,851.
Do staffing-agency and temporary workers count toward my obligations?+
Yes. Under California's dual-employer doctrine, the host/client employer and the staffing agency generally share responsibility for a temp worker's safety. Because the host controls the physical worksite, it typically owns site-specific hazard identification, correction, and training, while the agency shares training and recordkeeping duties. Section 6401.9 requires your plan to include methods for coordinating implementation with other employers who share the workplace, so spell out these responsibilities in your service agreement.
Can my business get a restraining order against someone threatening my employees?+
Yes. Under Code of Civil Procedure 527.8 — amended by SB-553 effective January 1, 2025 — an employer can petition for a temporary restraining order on behalf of an employee who has suffered unlawful violence, a credible threat, or (via coordinated SB-428) harassment that could be carried out at the workplace, and on behalf of other employees. A collective-bargaining representative may now also petition, and the affected employee can opt out of being named without blocking protection for coworkers. An individual employee cannot self-file under 527.8; they would use the separate civil-harassment process (CCP 527.6).

Share this guide

Need to hire a security company?

Get free quotes from licensed security companies in your area.

Get free quotes