Most people who arrive at this question don't yet use the word "doxxing." They type something more concrete: someone posted my address online, my ex shared my private information, a stranger linked my real name to an account I keep separate, people are calling my employer because of something I said.
All of those describe the same underlying act. Doxxing (sometimes spelled doxing, from the 1990s hacker shorthand "dropping dox") is the deliberate publication or distribution of identifying information about a person, with the intent or foreseeable consequence of exposing them to harassment, intimidation, or physical danger.
Whether it is illegal depends on three things: the jurisdiction, what was published, and what the publisher intended. The honest answer for 2026 is that doxxing is increasingly treated as a stand-alone crime in continental Europe, partially codified in the UK, and handled through a patchwork of federal stalking law plus a growing number of state statutes in the United States. This piece walks through each.
Why people get doxxed
Before the law, the motive. Academic work on doxxing — most cited is Douglas's 2016 conceptual analysis in Ethics and Information Technology, and the 2021 Emerald scoping review of technology-facilitated violence — converges on a small set of recurring drivers. Reading them as scenarios rather than categories tends to make the legal questions land harder.
- Retaliation by an ex-partner or estranged family member. Sharing a home address, employer details, or private images to punish someone for ending a relationship. This is the single most common pattern reported to European DPAs and the form most likely to escalate to physical violence.
- Ideological or political targeting. Publishing the home address of a politician, judge, journalist, abortion provider, climate activist, or LGBTQ+ figure to pressure them into silence or to invite third-party harassment. The 2020 murder of teacher Samuel Paty in France, whose name and school had been circulated on social media, drove the French statute discussed below.
- "Justice" mobs. A real or perceived offence (a viral video, an off-colour social-media post, an alleged crime not yet adjudicated) gets met by crowdsourced identification and exposure. The intent is presented as accountability; the effect is private punishment outside any due process.
- Extortion. "Pay or we publish." Common against executives, public figures, and victims of intimate-image abuse. Often pairs with a credential-leak threat to add credibility.
- Swatting setup. Address publication is the precondition for sending armed police to a target's home under a false report. The address itself is the lever.
- Workplace pressure. Calling an employer, regulator, or professional body with personal information to engineer firing, licence loss, or contract cancellation.
- Competitive or in-group score-settling. "Outing" a pseudonymous account in a community (gaming, fandom, professional networks) to humiliate or marginalise the target.
- Journalism and activism. A small number of journalists and activists publish identifying information about people they consider public-interest subjects, particularly individuals connected to extremist movements or organised harassment campaigns. Whether this is doxxing or accountability reporting is contested in academic literature; courts and prosecutors have generally treated intent and proportionality as the dividing line.
The motives matter legally because most doxxing statutes turn on intent. Publishing a name and address is not the offence; publishing them to intimidate, frighten, or facilitate harm is.
The European baseline: GDPR
Independently of any criminal statute, anyone who publishes another person's identifying data inside the EU or UK has to clear the General Data Protection Regulation. Article 6 requires a lawful basis for processing personal data; gratuitous publication of someone's address, phone number, or workplace will rarely have one. Article 9 elevates the bar for special-category data such as health, sexual orientation, religion, and trade-union membership. Article 17 gives the data subject a right to erasure. Article 21 gives them a right to object. Article 80 lets non-profits bring collective actions.
GDPR is a civil instrument, not a criminal one. But it provides the baseline that lets a victim demand removal from platforms, search engines, and any controller that holds the data, and it provides the regulator with fining power against platforms that refuse. In jurisdictions that lack a dedicated criminal doxxing statute, GDPR is often the only fast remedy available.
What changed between 2021 and 2024 is that several EU member states decided GDPR was not enough and added criminal offences specifically aimed at doxxing.
Netherlands: Article 285d Sr (since 1 January 2024)
The Netherlands criminalised doxxing on 1 January 2024 with a new Article 285d of the Wetboek van Strafrecht. The offence is committed when a person obtains another's personal data and shares, distributes, or otherwise makes them available with the intent to frighten that person, cause them serious harassment, or seriously impede them in the exercise of their profession.
The maximum sentence is two years' imprisonment or a fourth-category fine (currently up to €22,500). The maximum is increased by one third if the target is a person in a profession the legislator wanted to protect; explicitly named in the legislative history are politicians, judges, journalists, and care workers.
Two design choices are worth flagging. First, the law is framed around intent rather than the data itself, which means publishing genuinely public information (a workplace already on LinkedIn) can still be doxxing if the purpose is intimidation. Second, the Dutch DPA (Autoriteit Persoonsgegevens) maintains a parallel civil track via GDPR, so victims can pursue both criminal complaint and erasure simultaneously.
Germany: Section 126a StGB (since 22 September 2021)
Germany was first in continental Europe with a dedicated provision. Section 126a of the Strafgesetzbuch, headed Gefährdendes Verbreiten personenbezogener Daten ("endangering dissemination of personal data"), entered into force on 22 September 2021 as part of the Gesetz gegen Rechtsextremismus und Hasskriminalität.
It punishes anyone who publicly, in an assembly, or by distributing content disseminates another person's personal data in a way "suitable and intended" to expose them or someone close to them to the danger of a crime, specifically a crime against sexual self-determination, physical integrity, personal freedom, or property of significant value.
Penalties: imprisonment up to two years or a fine for publicly accessible data; up to three years or a fine for non-publicly-accessible data. The higher tier reflects the intuition that publishing leaked, hacked, or otherwise non-public information signals a more deliberate harm.
The statute was originally drafted in response to right-wing "enemy lists" (Feindeslisten) circulating in Germany. Enforcement has scaled noticeably: North Rhine-Westphalia alone reported 9 cases under §126a in 2022 and 37 in 2023 — a fourfold rise inside one Land in the second full year of the statute.
France: Article 223-1-1 of the Code pénal (since 24 August 2021)
France criminalised doxxing in the wake of the murder of teacher Samuel Paty in October 2020. Paty's identity, school, and routine had been circulated on social media in the days before he was attacked. Article 36 of Law 2021-1109 of 24 August 2021 ("strengthening respect for the principles of the Republic") inserted Article 223-1-1 into the Code pénal.
The offence is revealing, disseminating, or transmitting, by any means whatsoever, information relating to the private, family or professional life of a person, in a way that allows them to be identified or located, for the purpose of exposing them or members of their family to a direct risk of harm to person or property that the perpetrator could not have ignored.
Penalties: three years' imprisonment and a €45,000 fine, raised to five years and €75,000 when the target is a minor, a person whose vulnerability is due to age or medical condition, an elected official, a member of the judiciary, a law-enforcement officer, a journalist exercising the profession, or any person living at the same residence as a person targeted because of that person's profession.
France's statute is the broadest of the three in scope (it covers professional life, not only private life) and the heaviest at the top end. It is also the only one drafted as an explicit response to a fatal attack.
United Kingdom: a patchwork plus the Online Safety Act
The UK has not enacted a stand-alone doxxing offence. Doxxing is treated as conduct that triggers several existing statutes, depending on what was done.
- Malicious Communications Act 1988, s.1: sending a communication that is indecent, grossly offensive, or contains a threat or false information, with intent to cause distress or anxiety.
- Protection from Harassment Act 1997, s.1 and s.2: a course of conduct (two or more incidents) amounting to harassment, where the perpetrator knew or ought to have known their conduct would amount to harassment.
- Online Safety Act 2023, s.179: false communications offence, in force since 31 January 2024. Sending a message containing information the sender knows to be false, with intent to cause non-trivial psychological or physical harm to a likely audience, with no reasonable excuse. Maximum: six months' imprisonment on summary conviction.
- Online Safety Act 2023, s.183: threatening communications offence.
- Computer Misuse Act 1990: where the data was obtained by unauthorised access in the first place.
- UK GDPR / Data Protection Act 2018: civil and regulatory routes via the ICO, plus the s.170 criminal offence of knowingly or recklessly obtaining or disclosing personal data without the controller's consent.
The Crown Prosecution Service's Communications Offences guidance explicitly names doxxing as conduct that may amount to one or more of the above offences, and the OSA's explanatory materials list doxxing as a paradigm example of harm that the false-communications offence is intended to capture.
The practical consequence is that most UK doxxing matters get charged either as harassment (if there is a course of conduct) or as a communications offence (if a single message). The offence is real; what is missing, compared with France or Germany, is a statute that uses the word "doxxing" or that specifically describes the address-publication scenario.
United States: federal narrowness, state expansion
US federal law does not criminalise doxxing as such. Two statutes do most of the work.
- 18 U.S.C. § 119: protection of individuals performing certain official duties. Knowingly publishing the restricted personal information (Social Security number, home address, personal phone, personal email, home fax) of a covered government official (judges, witnesses, jurors, federal officers, informants), with the intent to threaten, intimidate, or facilitate a violent crime against them. Up to five years.
- 18 U.S.C. § 2261A: federal cyberstalking. Using interstate or foreign electronic communication with intent to kill, injure, harass, intimidate, or surveil a person, in a way that causes (or would reasonably be expected to cause) substantial emotional distress or reasonable fear of death or serious bodily injury. Up to five years baseline; higher if the victim is killed or seriously injured.
Outside those two, the federal landscape is thin. The work has fallen to states.
As of 2025, 19 states have enacted doxxing-related legislation. They split roughly into three groups.
- Explicit "doxxing" statute with a definition. Alabama (HB 287, 2023), California, and Illinois. California's Assembly Bill 1979 (the Doxing Victims Recourse Act, signed September 2024) created a civil right of action. Illinois's Civil Liability for Doxxing Act (Public Act 103-0439, in force 1 January 2024) did the same.
- Stand-alone doxxing offence without using the word. Colorado, Florida, Missouri, Oklahoma, Pennsylvania, Virginia, Oregon, Delaware, Kentucky, Minnesota, Nevada, New Jersey, Utah, and Washington: fourteen states that criminalise the conduct but route it through statutes on harassment, stalking, or unauthorised disclosure.
- Amended existing harassment or stalking law. Arizona and Connecticut.
The civil-versus-criminal split matters. Eight states (Alabama, Arizona, Colorado, Florida, Missouri, Oklahoma, Pennsylvania, Virginia) make doxxing a criminal offence only; prosecution is the only path. Nine states (California, Connecticut, Delaware, Kentucky, Minnesota, Nevada, New Jersey, Utah, Washington) provide both criminal prosecution and a civil cause of action, which lets a victim sue for damages without waiting for a prosecutor to take the case.
For someone living in a state without specific legislation, the available routes are usually federal cyberstalking (where the conduct meets the high intent threshold), state harassment or stalking law, and civil suits for intentional infliction of emotional distress, public disclosure of private facts, or harassment.
Side-by-side: how the three regimes compare
| Jurisdiction | Dedicated doxxing statute | Maximum penalty (top tier) | Civil track | Effective from |
|---|---|---|---|---|
| Netherlands | Yes, Sr 285d | 2 years 8 months (with profession aggravator) / €22,500 | GDPR / civil tort | 1 Jan 2024 |
| Germany | Yes, StGB §126a | 3 years (non-public data) | GDPR / civil tort | 22 Sep 2021 |
| France | Yes, CP 223-1-1 | 5 years / €75,000 (aggravated) | GDPR / civil tort | 24 Aug 2021 |
| UK | No (patchwork: MCA, PHA, OSA s.179, CMA, DPA) | Up to 6 months (s.179) / 5 years (PHA stalking) | UK GDPR + tort of misuse of private information | OSA s.179 from 31 Jan 2024 |
| US federal | No (18 USC 119 covers officials only; 2261A is cyberstalking) | 5 years (federal), higher if death | Tort, varies by state | 119: 2008; 2261A: 1996 (amended) |
| US states (19) | Mixed: 3 with explicit definitions, 14 standalone, 2 amendments | Varies; up to felony in several states | Available in 9 states | Most enacted 2018–2024 |
The headline pattern is that continental Europe has moved toward dedicated, intent-based criminal statutes that name the conduct; the UK has stayed with general communications and harassment law plus a new false-communications offence; and the US splits sharply between a thin federal floor and an uneven state-by-state ceiling. A doxxing victim's options depend less on the act than on where they happen to live.
What to do if you have been doxxed
Steps roughly in order, regardless of jurisdiction.
- Capture evidence before content disappears. Full-page screenshots with URL and timestamp, the post or message in its original platform context, archive copies (archive.today, Wayback Machine), and the account or handle that published it. If law enforcement gets involved later, they will need this; platforms remove content faster than prosecutors move.
- Report to the platform. Major platforms have specific reporting paths for doxxing or for sharing personal information without consent. Reporting under the platform's own policy is usually faster than any legal route and creates a record.
- Demand erasure under GDPR (EU/UK) or invoke state-specific takedown rights (US). Article 17 of the GDPR forces controllers to remove personal data that has no lawful basis. In the US, several states' civil doxxing statutes include injunctive relief.
- File a criminal complaint where a dedicated statute exists. In the Netherlands, Germany, and France, doxxing is its own offence and can be reported to police. In the UK, route the complaint through harassment, communications, or computer-misuse charges depending on the facts. In the US, federal cyberstalking is on the table where the conduct crosses state lines and meets the intent threshold; otherwise state authorities are the venue.
- Engage the data-protection authority. EU/UK DPAs accept doxxing complaints and can fine platforms or controllers that fail to act. The Dutch AP, the German BfDI / Land DPAs, the French CNIL, and the UK ICO all publish doxxing-specific guidance.
- Consider civil action. Where a civil right of action exists (California, Illinois, several other US states; tort of misuse of private information in the UK; civil claims under national tort law in EU member states), a damages action runs in parallel with criminal proceedings and does not depend on prosecutorial discretion.
- Reduce the surface that made you reachable in the first place. Doxxing usually combines several feeds: data brokers, breach corpora, public registries, and social-media exhaust. Removing the data once is necessary but not sufficient: broker re-ingestion, cached search results, and breach mirroring will restore most of the footprint within months unless the underlying sources are addressed.
That last point is where the legal track meets the operational one.
Why this matters for executives, journalists, and high-visibility individuals
Doxxing is overwhelmingly opportunistic. The attacker compiles what is already exposed: broker records, voter files, Companies House filings, court dockets, leaked databases, social media. They package it for distribution. Statutes like Sr 285d, §126a, and 223-1-1 punish the publication. None of them prevent it.
The exposure that makes doxxing possible is exactly the exposure that makes phishing, vishing, swatting, and physical surveillance possible. Reducing it is the only step that affects all four threat models simultaneously.
If your role makes you a credible target (public office, journalism, executive leadership, advocacy work), the question is not whether the data exists but how reachable it makes you. The Shield maps the exposure surface an attacker would compile and removes what is removable before they get to it.
Talk to an AnalystThe point of the European statutes is to give victims a route to consequence after the fact. The point of the work we do is to make the route unnecessary in the first place.
Sources
Primary law and government sources
- Online Safety Act 2023, Section 179 (legislation.gov.uk)
- Online Safety Act 2023: new criminal offences circular (GOV.UK)
- Communications Offences (Crown Prosecution Service)
- Article 223-1-1 du Code pénal (Légifrance)
- Use of personal data for the objective of harassment to become criminal offence (Government.nl)
- Doxing guidance (Autoriteit Persoonsgegevens)
- § 126a StGB (dejure.org)
- 18 U.S. Code § 119 (Cornell LII)
- 18 U.S. Code § 2261A (Cornell LII)
Secondary analysis
- Netherlands: Doxing Criminalized (Library of Congress, Global Legal Monitor)
- Doxing: State Protections Against Digital Threats (Council of State Governments, October 2025)
- Doxing and Swatting (Council of State Governments, April 2025)
- Improvement of national legislation on doxing and source protection (Council of Europe)
Academic
- David M. Douglas, Doxing: a conceptual analysis, Ethics and Information Technology, 2016
- Doxxing: A Scoping Review and Typology, Emerald International Handbook of Technology-Facilitated Violence and Abuse, 2021