Compliance Training: What It Is and What Your Business Needs
What is compliance training? 6 types, state-by-state requirements, deadlines, penalties, and how to deliver compliance training at a growing business.
Compliance Training
Types, requirements, and how to deliver it without an HR department
At a previous company, we hired our seventh employee and nobody mentioned anti-harassment training. We were in California. The requirement had applied to us since employee number five. I found out eight months later when I was reviewing compliance requirements for an unrelated reason. Those eight months of non-compliance were not intentional. They were the result of not knowing what we did not know.
That experience is common at growing businesses. Compliance training requirements accumulate as you cross employee-count thresholds, expand into new states, or enter regulated industries. Nobody sends you a notification. You are expected to know. This guide covers what compliance training is, the six types every business should understand, which states require what, the deadlines and penalties involved, how to deliver training without a dedicated HR or L&D team, and how to track completion so you can prove you did it. I built compliance tracking into FirstHR as part of onboarding specifically because compliance training and new hire onboarding are the same workflow for growing businesses.
What Is Compliance Training?
Compliance training is structured employee education that covers the laws, regulations, and company policies employees are legally required to understand and follow. Unlike optional professional development or role-specific skill training, compliance training exists because a law, regulation, or industry standard mandates it.
The distinction between compliance training and other types of employee training is legal obligation. Teaching a new hire to use your CRM is role-specific training. Teaching them about sexual harassment prevention because California law requires it is compliance training. The first is optional (though valuable). The second is mandatory (and carries penalties for non-compliance). The employee training guide covers the full spectrum of training types.
6 Types of Compliance Training
Compliance training covers six broad categories. Not every category applies to every business. Which ones apply to you depends on your state, your industry, the number of employees you have, and the type of data you handle. Here are all six, with the trigger conditions that determine whether each one applies.
Anti-Harassment Training
Anti-harassment training is the compliance category most likely to affect growing businesses because the employee-count thresholds are low (as few as 1 employee in some states) and the legal exposure from non-compliance is high. The training covers what constitutes sexual harassment, how to report it, what retaliation looks like, and what the company's obligations are when a complaint is made.
Six states currently mandate anti-harassment training: California (5+ employees, 2 hours for supervisors, 1 hour for non-supervisory), Connecticut (3+ employees, 2 hours), Delaware (50+ employees, interactive training), Illinois (1+ employees), Maine (15+ employees), and New York (1+ employees). Several additional states have voluntary guidelines expected to become mandatory. The compliance hub provides state-by-state requirements.
Workplace Safety (OSHA)
OSHA training requirements apply to all employers who expose employees to workplace hazards. This is broader than most business owners realize. "Hazardous conditions" includes not only construction sites and manufacturing floors but also healthcare settings (bloodborne pathogens), retail environments (ergonomic hazards, slip-and-fall), and offices (fire evacuation, electrical safety). OSHA does not exempt small businesses from training requirements.
Data Privacy
Data privacy training is required whenever employees handle sensitive information. HIPAA applies to healthcare providers, health plans, and their business associates. PCI DSS applies to any business that stores, processes, or transmits payment card data. State privacy laws like California's CCPA and New York's SHIELD Act impose additional requirements. The HR document management guide covers what data you must protect and how.
Anti-Discrimination (EEO)
While no federal law explicitly requires anti-discrimination training, the EEOC strongly recommends it, and courts consistently consider the presence or absence of training when evaluating employer liability in discrimination cases. Training covers Title VII protected classes (race, color, religion, sex, national origin), ADA accommodation obligations, ADEA age discrimination protections, and equal pay requirements.
Ethics and Code of Conduct
Ethics training is not always legally required, but it serves as the foundation for other compliance programs. When employees understand the company's values, conflict-of-interest policies, and reporting channels, they are more likely to comply with specific regulatory requirements. The code of conduct guide covers how to build ethics training into your onboarding process.
Industry-Specific Compliance
Many industries have training requirements that go beyond the general categories above. Food service requires food handler certifications. Real estate requires licensing and continuing education. Financial services requires anti-money laundering (AML) and know-your-customer (KYC) training. Healthcare requires HIPAA plus clinical-specific protocols. Construction requires OSHA 10 or OSHA 30 certifications. Check your industry's regulatory body for specific requirements.
State-by-State Anti-Harassment Training Requirements
Anti-harassment training is the compliance topic with the most variation across states. The table below covers the six states with current mandates. Requirements change frequently, so verify current rules through your state's labor department or the HR rules and regulations guide.
| State | Employer Size Threshold | Training Duration | Deadline for New Hires | Refresher Requirement |
|---|---|---|---|---|
| California | 5+ employees | 2 hrs (supervisors), 1 hr (non-supervisory) | Within 6 months of hire or promotion | Every 2 years |
| Connecticut | 3+ employees | 2 hrs (supervisors), 2 hrs (employees) | Within 6 months of hire | Periodic (recommended every 3 years) |
| Delaware | 50+ employees | Interactive training (no set duration) | Within 1 year of hire | Every 2 years |
| Illinois | 1+ employees (any employer) | 1 hr minimum | Within first calendar year of hire | Annual |
| Maine | 15+ employees | Education within first year | Within 1 year of hire | No specific requirement |
| New York | 1+ employees (any employer) | Interactive (no set minimum duration) | As soon as possible after hire | Annual |
Two important details most guides miss. First, "supervisors" often have higher training requirements than non-supervisory employees (California requires double the hours). When you promote someone to a supervisory role, they need the supervisor-level training even if they already completed the employee-level version. Second, "interactive" training (required in NY, DE, CT) means the training must allow questions and provide examples relevant to the workplace. A static PDF that employees click through does not meet the "interactive" standard in these states.
Deadlines and Penalties
Compliance training deadlines are tied to the hire date, promotion date, or calendar year. Missing them does not trigger an immediate fine in most cases, but it creates exposure that compounds over time.
| Training Type | Typical Deadline | Penalty for Non-Compliance |
|---|---|---|
| Anti-harassment (CA) | Within 6 months of hire | No direct fine, but increased liability in lawsuits. DFEH can order training. |
| Anti-harassment (NY) | As soon as possible after hire | No direct fine, but failure to train is evidence of negligence in lawsuits. |
| Anti-harassment (IL) | Within first calendar year | Up to $5,000 per violation (civil penalty). |
| OSHA safety training | Before employee performs hazardous tasks | Up to $16,131 per violation (serious); $161,323 for willful violations. |
| HIPAA privacy training | Before accessing protected health information | $141 to $2,134,831 per violation, depending on severity tier. |
| PCI DSS awareness | Before handling cardholder data | Fines from card brands, potential loss of processing privileges. |
| Food handler certification | Before handling food (most jurisdictions) | Health department citations, fines, potential closure. |
The less visible penalty is litigation exposure. When an employee files a harassment complaint and the employer cannot produce evidence that the employee received anti-harassment training, courts treat this as evidence that the employer did not take prevention seriously. Research from the Work Institute consistently identifies inadequate training as a top driver of early turnover, compounding the legal risk with the financial cost of replacing departing employees. SHRM emphasizes that documented training is a critical component of an employer's affirmative defense in harassment cases. The training itself may not prevent every incident, but the documentation of training significantly affects the legal outcome.
How to Deliver Compliance Training
Growing businesses have four realistic options for delivering compliance training. The right choice depends on your budget, the number of employees, and whether your state requires interactive training.
| Delivery Method | Cost | Best For | Meets 'Interactive' Requirement? |
|---|---|---|---|
| Online self-paced courses (third-party providers) | $20-$75 per employee per course | Businesses with 5-50 employees, standard compliance topics | Yes, if the course includes questions, scenarios, and assessments |
| Live webinar or virtual instructor-led | $200-$1,000 per session | Businesses requiring interactive training (NY, CT, DE), team-wide rollouts | Yes |
| In-person instructor-led | $500-$5,000 per session | Hands-on safety training, high-risk industries, small groups | Yes |
| HR platform with built-in training modules | $98-$300/month (platform cost) | Businesses that want compliance training integrated with onboarding workflows | Yes, if modules include interactive elements |
For most growing businesses, the practical approach is third-party online courses for state-mandated topics (anti-harassment, safety) combined with an HR platform for tracking completion and integrating training into onboarding. The courses provide the content. The platform provides the workflow: assign training on hire date, send reminders before deadlines, track completion, and store records. The HR technology guide covers how training tools fit within the broader tech stack.
Compliance Training During Onboarding
Compliance training should be embedded in your onboarding process, not treated as a separate activity. The reason is practical: onboarding already involves deadlines (I-9 by Day 3, state new hire reporting within 20 days), assigned tasks, and tracking. Adding compliance training to the same workflow ensures it gets the same rigor.
| Onboarding Day | Compliance Training Action | Why This Timing |
|---|---|---|
| Day 1 | Assign anti-harassment training module, assign safety orientation (if applicable) | Starts the clock on state-mandated deadlines |
| Week 1 | Complete general safety training, begin data privacy training (if handling sensitive data) | Employee begins actual work and needs to understand safety and data protocols |
| Week 2-4 | Complete anti-harassment training, complete industry-specific compliance modules | Sufficient time to complete interactive training without rushing through it |
| Day 30 | Verify all assigned compliance training is complete, document completion dates | Most state deadlines fall within 30-180 days; Day 30 check catches gaps early |
| Day 90 | Confirm all compliance training documented in personnel file, schedule next renewal | Final onboarding milestone; ensures nothing was missed before the employee transitions out of new-hire status |
The compliance onboarding guide covers the full integration of compliance requirements into the onboarding workflow, including I-9, W-4, state new hire reporting, and E-Verify alongside training requirements. The new hire paperwork guide provides the complete task list.
Tracking and Documentation
Compliance training that is not documented is compliance training that did not happen. This is not an exaggeration. In an OSHA audit, an EEOC investigation, or a harassment lawsuit, the question is not "did you train your employees" but "can you prove you trained your employees." Verbal confirmation is not proof. A completed checklist with dates and signatures is proof.
What to Track for Every Training Event
For each compliance training completed by each employee, record: the employee's name and ID, the training topic, the date completed, the duration, the delivery method (online, in-person, webinar), the provider or course name, assessment results (if applicable), and the employee's acknowledgment signature. Store these records in the employee's personnel file and retain them for at least 3 years after the employee's departure (longer in some states and for some training types).
Retention Periods
| Training Type | Minimum Retention Period | Authority |
|---|---|---|
| Anti-harassment training records | 3 years minimum (varies by state) | State labor departments |
| OSHA safety training records | Duration of employment + 30 years (for exposure records) | 29 CFR 1910.1020 |
| HIPAA training records | 6 years from creation or last effective date | 45 CFR 164.530(j) |
| General employment training records | 3 years after training date | EEOC guidance, state laws |
The employee records retention guide covers the full retention schedule across all document types. The file organization guide explains how to structure your records for easy retrieval during audits.
Common Mistakes
Five compliance training mistakes appear repeatedly at growing businesses. All of them create risk that is avoidable with basic planning.
Frequently Asked Questions
What is compliance training?
Compliance training is mandatory employee education that covers laws, regulations, and company policies employees must understand and follow. It includes anti-harassment training, workplace safety (OSHA), data privacy (HIPAA, PCI DSS), anti-discrimination, ethics and code of conduct, and industry-specific regulations. Compliance training protects both employees and the business by ensuring everyone understands legal requirements and expected behaviors.
What compliance training is required by law?
Requirements vary by state and industry. Anti-harassment training is mandatory for employers in California, Connecticut, Delaware, Illinois, Maine, and New York, with varying size thresholds and deadlines. OSHA requires safety training for employees exposed to workplace hazards. HIPAA training is required in healthcare. PCI DSS training applies to businesses handling payment card data. Food handler certifications are required in food service. Check your specific state and industry, as requirements change frequently.
How often does compliance training need to be renewed?
Most compliance training requires annual renewal. California requires anti-harassment refresher training every 2 years. OSHA requires annual refresher training for many safety topics. HIPAA requires annual security awareness training. Some industry certifications (food handler cards, real estate licenses) have their own renewal cycles. Beyond legal minimums, best practice is to retrain whenever laws change, after workplace incidents, or when new employees are hired.
Who is responsible for compliance training?
The employer is legally responsible for ensuring employees complete required compliance training. At small businesses without HR departments, this responsibility typically falls on the owner or founder. The owner does not need to deliver the training personally. They can use online courses, external trainers, or training platforms. But they must ensure training happens on schedule and completion is documented.
What happens if a company does not provide compliance training?
Consequences range from fines to increased legal liability. OSHA violations can result in fines up to $16,131 per violation (2026). HIPAA violations can reach $2.1 million per violation category. For anti-harassment training, failure to train does not trigger a direct fine in most states, but it significantly increases liability in harassment lawsuits. Courts and juries view the absence of training as evidence that the employer did not take prevention seriously.
Can compliance training be done online?
Yes, most compliance training can be delivered online, and many state requirements explicitly allow it. California, for example, accepts live webinar, e-learning, or in-person formats for anti-harassment training. Online delivery is often the most practical option for small businesses because it allows employees to complete training at their own pace, tracks completion automatically, and scales without scheduling conflicts. Some training (like hands-on safety demonstrations) may require in-person components.
How long does compliance training take?
Duration varies by type and state. California requires 2 hours of anti-harassment training for supervisors and 1 hour for non-supervisory employees. Connecticut requires the same 2-hour and 1-hour split. OSHA training durations depend on the specific hazard standard. HIPAA training typically runs 1-2 hours initially. Most compliance training modules can be completed in 1-4 hours. The total annual compliance training burden for a typical small business employee is 4-8 hours across all required topics.
Does compliance training apply to small businesses?
Yes. Most federal compliance requirements apply regardless of company size. OSHA covers all employers with even one employee in hazardous conditions. Anti-harassment training requirements in some states apply to employers with as few as 1 employee (California applies to employers with 5+ employees, Connecticut to 3+ employees). The common belief that small businesses are exempt from compliance training is incorrect and creates significant legal risk.