SB-553 for Small Businesses: What California Employers with 10–50 Employees Actually Need

California’s SB-553 does not have a small business exemption. If you have ten or more employees at a location that members of the public can access — a retail store, a restaurant, a medical office, a salon, a property management office — the law applies to you. The same law that applies to a 500-person healthcare system applies to your 14-person clothing boutique.

The compliance requirements are not scaled to your size. But the practical implementation of those requirements can be — and for most small businesses, a compliant program is less complicated and less expensive than the volume of SB-553 content online suggests.

This article is written specifically for small California employers: business owners, office managers, and HR generalists who are responsible for SB-553 compliance without a dedicated security team, a legal department, or a large training budget. Here is what you actually need.

Does SB-553 Apply to Your Business?

SB-553 applies to virtually every California employer. The narrow exceptions are: employers with fewer than ten employees at a location that is not accessible to the public, healthcare facilities already covered by the existing Cal/OSHA healthcare standard, and a handful of other specific categories.

The “accessible to the public” language is interpreted broadly. If customers, clients, patients, vendors, or visitors can enter your premises — you are covered. A back-office location where only employees work may qualify for the limited exception. A storefront, a medical office, a salon, a warehouse with a customer pickup area, or any location where members of the public regularly enter does not.

The ten-employee threshold counts employees at that location, not your total workforce. If you have 30 employees across three California locations, each location with fewer than ten employees may qualify for the limited exception — but you should verify this interpretation with legal counsel before relying on it, because Cal/OSHA’s enforcement posture on multi-location employers is still developing.

What Are the Three Things Every Covered Employer Needs?

SB-553 requires three things. All three are required simultaneously. You cannot satisfy the law with just one or two.

1. A Written Workplace Violence Prevention Plan

The WVPP is the foundation. It must be written, it must be site-specific — meaning it addresses the hazards and procedures at your particular location, not a generic template — and it must cover a defined set of elements:

• A named person responsible for implementing and maintaining the plan (for a small business, this is usually the owner or a designated manager)
• Procedures for employees to report workplace violence concerns and incidents without fear of retaliation
• How the employer will respond to and investigate reported incidents
• How the employer will identify and evaluate workplace violence hazards specific to the location
• The corrective measures the employer has implemented or will implement to address identified hazards
• Emergency response procedures for the location

Cal/OSHA has published a model WVPP that small employers can use as a starting point. The model is available at no cost at dir.ca.gov. The critical point: the model must be customized for your location. A plan that was downloaded, minimally edited, and filed is not a compliant plan — it is a template with your business name on it, and a Cal/OSHA compliance officer can identify one immediately.

What “site-specific” means in practice for a small business:

• Your hazard assessment should reflect your actual work environment — do you handle cash? Are you open late? Do you have a parking lot with limited lighting? Do you serve a high-stress customer population?
• Your corrective measures should describe what you have actually done or will do — not what a generic plan says employers generally do
• Your emergency procedures should reference your actual exits, your actual alarm system, and your actual contacts

2. A Violent Incident Log

Every workplace violence incident must be recorded in a Violent Incident Log. “Incident” means any act of violence or threat of violence — not just physical attacks. A threatening customer, a verbal threat from a coworker, a near-miss that didn’t result in injury — all of these must be logged.

The log must capture: the date, time, and location of the incident; the type of violence (Type 1 through 4); a description of what happened; who was involved; any injuries sustained; and what corrective actions were taken. Personal identifying information about victims is not required in the log.

For a small business, the log can be a simple spreadsheet or form — it does not need to be elaborate. What it needs to be is maintained consistently. A log that records only serious physical assaults and omits threats, near-misses, and verbal incidents is not compliant. Entries must be made for every reportable event, regardless of severity.

The log must be retained for five years and made available to employees and their representatives on request. This means you need to know where your log is, and your employees need to know they can ask to see it.

3. Annual Training

Every employee must receive training when the plan is first established and annually thereafter. The training must cover:

• Your WVPP — what it says and how to obtain a copy
• How to report workplace violence concerns and incidents
• The Violent Incident Log — what it is and how to access it
• The four types of workplace violence and how to recognize hazards
• How to respond to a threatening situation
• Post-incident support available to employees

The training must include an interactive discussion element— a video with no Q&A component does not satisfy this requirement. For a small business, the most practical approach is a brief facilitated discussion after watching a training video, where employees can ask questions and the manager or owner can walk through the site-specific elements.

Training must be documented: the date, attendees, topics covered, facilitator name, and evidence of the interactive discussion. Keep these records for at least one year.

What Do You Probably Not Need?

Small business compliance anxiety is often driven by content written for large organizations. Here is what most small California businesses do not need in order to be compliant:

A Threat Assessment Team. Formal behavioral threat assessment teams are recommended for organizations large enough to have the internal capacity to staff and maintain one — typically 200 or more employees. A 15-person retail store does not need one. What it needs is a clear procedure for what happens when an employee reports a concern, and a designated manager who knows to take it seriously.

A security director or dedicated safety staff. SB-553 requires a named responsible person — not a credentialed security professional. For most small businesses, the owner, the general manager, or the HR manager is the appropriate responsible party. What matters is that the person named actually knows what the plan says and how to implement it.

An elaborate training program. A compliant annual training can be conducted in 45–60 minutes using a commercially available SB-553 training video — such as the Kestralis Group training package — followed by a brief facilitated discussion. The total time investment per employee per year is less than one hour. The documentation requirement is a sign-off sheet.

A complex incident reporting system.For a small business, the reporting procedure can be as simple as “report to [name], who can be reached at [phone number], and if that person is not available, call [backup].” What matters is that employees know who to tell and that the procedure is documented in the plan.

What Mistakes Do Small Businesses Most Often Make?

Using a template without customization.The Cal/OSHA model plan is a starting point, not a finished product. A compliance officer reviewing a WVPP can spot a template in minutes. Customization does not require a security expert — it requires someone who knows your location, your workforce, and your customer population to answer the plan’s questions honestly.

Logging only physical assaults. The Violent Incident Log must record all incidents — threats, near-misses, verbal confrontations — not just events where someone was hurt. The pattern of smaller events is often the most useful information for identifying and correcting hazards. And a log that omits reportable events is a compliance gap.

Treating training as a video without discussion.The interactive discussion requirement is explicit in the law. A training that consists of watching a video and signing a sheet does not satisfy it. The discussion does not need to be long — fifteen minutes of genuine Q&A with a manager who knows the plan is compliant. The discussion must be documented.

Never reviewing the plan. The WVPP must be reviewed at least annually — and after any workplace violence incident, and whenever a deficiency is identified. A plan created in 2024 with no documented review since is already out of compliance. The annual review does not need to be elaborate: a one-page memo documenting that the plan was reviewed, whether any changes were made, and who conducted the review satisfies the requirement.

What Does Non-Compliance Actually Cost a Small Business?

A Cal/OSHA willful violation carries a maximum penalty of $162,851. A serious violation is up to $25,000. These numbers are frequently cited — and they are real — but they represent the regulatory enforcement risk, not the total financial exposure.

For a small business, the more significant risk is civil liability. A workplace violence incident at a business without a compliant prevention program creates the foundation for a negligent security or failure-to-protect claim. The average civil verdict in a California workplace violence case is approximately $2–3 million. A $5,000 WVPP and annual training program that prevents one such claim — or that provides a credible defense in the event of one — produces a return on investment that is not close.

You can use the Kestralis Exposure Calculator to estimate your specific three-year financial exposure based on your industry, location type, and current compliance status. The tool is free and takes about 90 seconds.

What Is the Practical Path to Compliance for a Small Business?

For most small California employers, the path to compliance follows this sequence:

• Start with a gap assessment.Before writing anything, understand what you have and what you’re missing. If you have a plan already, is it site-specific? If you have a log, is it capturing all required incidents? If you’ve done training, was it documented with an interactive component?
• Customize the plan.Use the Cal/OSHA model or a professionally developed template as your starting point. Walk your location with the plan in hand and answer its questions honestly. Have a trusted employee review it and identify anything that doesn’t match their experience of the work environment.
• Set up the Violent Incident Log. Create a simple spreadsheet or form with the required fields. Designate who is responsible for making entries and make sure every employee knows how to report.
• Deliver and document training. Use a compliant training video, follow it with a brief facilitated discussion, and collect signatures on a documentation form. Calendar the same training for twelve months later.
• Calendar the annual review. Set a recurring annual reminder. The review takes 30–60 minutes. Document it with a brief memo.

For most small businesses, this sequence can be completed in a few days of focused effort. The ongoing maintenance — annual review, annual training, consistent incident logging — is manageable for any organization with a designated responsible person and a calendar reminder.

For small employers who want professional support — a compliant plan built by someone with SB-553 expertise, or a readiness assessment that identifies exactly where the gaps are — Kestralis Group’s SB-553 services start with a readiness assessment at $3,500. See the California SB-553 compliance page for the full picture, or review the seven most common SB-553 compliance failures to understand where small employers most often fall short.