Is Doxxing Illegal? A State-by-State Breakdown for Security Teams
by Maddie Bullock

Is Doxxing Illegal?
Yes, doxxing is illegal in many circumstances, but the answer depends on three things: what information was shared, the intent behind sharing it, and what state you're in. There is no single federal law that bans doxxing by name. Instead, the United States regulates it through a patchwork of state statutes, federal harassment and stalking laws, and civil liability options.
For security teams responsible for protecting executives, this patchwork is important. An executive doxxed in California has different legal protections than one doxxed in Florida, and the gap between when a doxxing campaign starts and when any legal remedy takes effect is often measured in weeks, while the damage happens in hours. Understanding the legal landscape helps security teams know when to involve law enforcement, what evidence to preserve, and why proactive prevention beats reactive response.
What Counts as Doxxing?
Doxxing is the intentional public release of someone's private or identifying information without their consent, usually to harass, intimidate, or cause harm. The term comes from "dropping docs," hacker slang for documents.
The information involved can include home addresses, phone numbers, workplace details, family member identities, financial account numbers, email addresses, and personal photographs. Doxxers typically assemble this information from social media profiles, public records, data broker sites, old forum posts, and sometimes hacked accounts.
One important distinction runs through every doxxing law in the country: sharing publicly available information is not automatically a crime. Doxxing crosses into illegal territory when the person sharing the information intends to cause fear, harassment, or harm, or when they act with reckless disregard for that risk. That intent is the dividing line.
Is Doxxing Illegal Under Federal Law?
There is no comprehensive federal anti-doxxing statute that protects all victims. Instead, federal prosecutors rely on several existing laws, depending on the circumstances.
Federal stalking law (18 U.S.C. § 2261A) is the statute that most often applies to doxxing. It makes it a crime to use electronic communication systems to engage in a course of conduct intended to cause or attempt to cause substantial emotional distress. As legal resource Nolo notes, the penalties vary widely depending on the harm caused and the age of the victim. The catch for security teams: the "course of conduct" requirement means a single post usually isn't enough to prosecute, which makes coordinated doxxing campaigns from multiple anonymous accounts hard to pin on any one person.
Protection of covered officials (18 U.S.C. § 119) makes it a federal crime to publish "restricted personal information" about covered persons, including federal employees, officers, jurors, witnesses, and certain state and local officials participating in federal investigations, with intent to threaten or intimidate. This federal crime carries up to five years in prison, but it only protects specific categories of people, not corporate executives.
The TAKE IT DOWN Act addresses a narrow but serious slice of the problem: it criminalizes the nonconsensual publication of intimate images, including AI-generated deepfakes, and requires platforms to remove such content within 48 hours of a valid takedown notice.
There's also movement in Congress. The Protecting Law Enforcement from Doxxing Act was introduced in the 119th Congress to criminalize releasing the names of federal law enforcement officers with intent to obstruct investigations. Like the existing federal statutes, it's narrowly scoped to specific protected groups rather than the general public.
Is Doxxing Illegal in Your State? A Breakdown
State law is where most doxxing gets prosecuted, since that's where the victim lives and where the harm occurs. According to the Council of State Governments, as of mid-2025, three states—Alabama, California, and Illinois—have established doxxing as a standalone crime with an explicit statutory definition. Fourteen additional states have criminalized the same conduct without using the word "doxxing." The rest prosecute it under harassment, stalking, and cyberstalking laws.
Here's where the highest-interest states stand.
Is Doxxing Illegal in California?
Yes. California has both criminal and civil doxxing laws. On the criminal side, Penal Code § 653.2 makes it a misdemeanor to electronically post personal information with intent to place someone in reasonable fear for their safety, or to incite others to harass them. A conviction can carry up to one year in county jail and a fine of up to $1,000.
California also gives victims a strong civil remedy. The Doxing Victims Recourse Act (AB 1979), along with Civil Code § 1708.89, allows victims to sue for economic and noneconomic damages, statutory damages ranging from $1,500 to $30,000, punitive damages, and attorney's fees. Victims can even sue anonymously using a pseudonym.
Is Doxxing Illegal in Texas?
Yes. Texas enacted a specific doxxing statute, Penal Code § 42.074 ("Unlawful Disclosure of Residence Address or Telephone Number"), which took effect September 1, 2023. It makes it an offense to post someone's home address or phone number on a publicly accessible site with intent to cause harm or threat of harm to that person or their family. A 2025 amendment expanded the law to cover disclosures made through electronic communication, applying to offenses on or after September 1, 2025.
The base offense is a Class B misdemeanor (up to six months in jail and a $2,000 fine), escalating to a Class A misdemeanor if the disclosure results in bodily injury. Texas prosecutors can also bring related charges under harassment (§ 42.07) and stalking (§ 42.072) statutes.
Is Doxxing Illegal in Florida?
Florida has no statute that uses the word "doxxing," but the conduct is still prosecutable. According to LegalClarity, depending on the facts, a doxxer in Florida could face charges ranging from a first-degree misdemeanor to a second-degree felony carrying up to 15 years in prison.
The most direct tool is Florida's cyberstalking statute, § 784.048, which covers electronic communication directed at a specific person that causes substantial emotional distress and serves no legitimate purpose. Florida also has a cyber harassment statute (§ 836.10) covering electronic threats to kill or injure, and identity theft laws that apply when doxxers misuse stolen personal information.
Is Doxxing Illegal in Other States?
For executives located outside these states, the protections vary widely:
- Illinois has one of the most comprehensive civil frameworks. The Civil Liability for Doxxing Act (effective January 2024) lets victims sue for economic injury, emotional distress, fear of bodily harm, and substantial life disruption.
- Alabama created a standalone criminal doxxing offense through HB 287 (2023).
- Kentucky imposes felony penalties when doxxing results in bodily harm to a victim or their family.
- Fourteen states criminalize the underlying conduct without naming it, while others rely on harassment and stalking laws.
One detail matters for corporate security teams: not all of these laws protect the general public. Seven states—Alabama, Colorado, Delaware, Minnesota, New Jersey, Oklahoma, and Pennsylvania—limit their doxxing protections to specific public officials such as judges, law enforcement officers, and election officials. In Delaware, for example, the protection applies only to judicial officers and their families.
A private-sector executive doxxed in one of those states may have no standalone doxxing statute to rely on and would fall back on harassment or stalking laws instead. Every other state without a dedicated provision prosecutes doxxing through those broader harassment and stalking statutes.
This is general information, not legal advice, and statutes change frequently. Security and legal teams should verify the current law in any state where they have protected individuals.
What the Legal Patchwork Means for Corporate Security Teams
For a security team protecting executives across multiple states, the legal landscape creates a practical problem: the protections your CEO has in California don't follow them to a conference in Florida or a satellite office in Texas. Building an executive protection program around legal recourse alone means accepting wildly inconsistent coverage.
There's a bigger issue, too. Legal remedies are reactive by design. The gap between when a doxxing campaign begins and when a legal remedy takes effect is typically measured in weeks. The gap between when the campaign begins and when the damage occurs is measured in hours.
A 2025 incident illustrates the timeline problem clearly. Two websites published the full names, business emails, mobile numbers, and compensation details of hundreds of Fortune 500 executives. The sites were live for less than 24 hours before being taken down, but the data was archived, mirrored, and indexed before that happened. Security teams that detected the exposure within hours could begin removal requests while the window was still open. Teams that found out later are still managing the indexed copies. No state doxxing law could have acted within that window.
This is why documentation matters so much. When a doxxing incident does warrant law enforcement involvement, police and prosecutors need evidence: proof of the threat actor's identity, the intent behind the disclosure, and the harm caused. A security team that can hand over a documented investigation gives law enforcement something to act on. A team that reports "someone posted our CEO's address" without supporting intelligence usually gets a slower response.
ZeroFox's managed services and intelligence teams help close this gap by providing the evidence layer: person-of-interest investigations, threat actor identification, and dark web monitoring that turn a vague complaint into an actionable case.
In one engagement, a threatening and incoherent message aimed at a global company's CEO led ZeroFox analysts to a person of interest who was already tied to earlier incidents. The investigation surfaced a detail the client's security team hadn't known: the individual was living much closer to the company's offices than prior sightings had suggested. With that intelligence in hand, the client could accurately gauge the level of risk, coordinate with local law enforcement, and restart its routine executive threat assessments.
Proactive Prevention Beats Reactive Response
The most effective doxxing defense reduces exposure before an incident happens. A strong program works on three fronts: removing the personal data that already exists, controlling what executives and their families share going forward, and monitoring continuously so nothing slips back into circulation.
Remove what's already exposed
As Nate Anderson, General Manager, Technology at ZeroFox, frames the first step: make sure your information isn't publicly accessible and understand what is already out in public. PII removal reduces the personal data available on data broker and people-search sites, which eliminates the easiest, cheapest source threat actors use to compile a doxxing target.
This matters because of what attackers can build once they have a few pieces of personal data. As Anderson explains, exposed information lets a threat actor "conjure much more convincing scams, threats, and deceptions because they use your personal, and often private, information." A scam call that names your child and their school, a phishing email that cites your home address, or a pretext built from your employer and travel patterns all become far more believable when the details are accurate. The data itself may be mundane, but assembled together it becomes a script.
Control what gets shared next
Removing existing data only helps if new exposure doesn't replace it. Often the biggest leaks of personal information don't come from threat actors at all. They come from the executives and their families.
As Esmeralda Sayagues, Product Manager for ZeroFox Executive Protection, puts it, the most important habit is "discretion about where you are, who you're with, and what you're doing in the age of Instagram." A spouse posting vacation photos, a teenager geotagging the family home, or an executive sharing travel details can hand a doxxer everything they need. Each post adds a data point, and enough data points build a geographic and behavioral timeline that reveals patterns about where an executive lives, where their kids go to school, when the house is empty, and where they'll be next.
Digital footprint monitoring tracks this exposure directly. ZeroFox Executive Protection scans public social media activity across platforms like Facebook, Instagram, LinkedIn, and X for what an executive has disclosed about their location, family, and routines, and surfaces family-member disclosures as alerts the security team can act on. Coverage can extend to up to five family members per executive, since the people around a principal are frequently the weakest link in their privacy.
Monitor continuously
Doxxing prevention isn't a one-time cleanup. Data brokers re-aggregate removed information, and new social media posts appear constantly. The program has to keep running. PII removal re-scans on a recurring basis and re-submits removal requests when data reappears, while digital footprint monitoring and sentiment analysis watch for new exposure and early signs of hostile attention.
Bring it together in one place
ZeroFox Executive Protection brings these capabilities together: PII removal, digital footprint monitoring, sentiment analysis, dark web monitoring, and threat intelligence in a single platform built for corporate security teams.
The advantage, according to Sayagues, is efficiency. Security teams face constant alert fatigue and information overload, and the platform "puts all of that information into a high-level analysis of each facet, so that teams can digest it better and faster" and prioritize what matters most. Instead of stitching together separate consumer tools for privacy, travel, sentiment, and threat intelligence, security teams get a single view of executive exposure and the intelligence to act on it.
The Bottom Line on Doxxing Legality
Doxxing law is evolving quickly, and the trend points toward stronger protections, with more states passing dedicated statutes each year. But legal protection will always be reactive. It kicks in after the exposure and often weeks or even months after the damage is done.
Corporate security teams that treat doxxing as a preventable risk, through an executive protection plan including PII removal, digital hygiene, and continuous monitoring, are in a far stronger position than those waiting to find out which statute applies after an executive has already been targeted.
To learn more about reducing executive exposure before it can be weaponized, explore ZeroFox Executive Protection with a demo.
This article provides general information about doxxing laws and is not legal advice. Laws vary by jurisdiction and change frequently. Consult a qualified attorney for guidance on a specific situation.
Frequently Asked Questions
Maddie Bullock
Content Marketing Manager
Maddie is a dynamic content marketing manager and copywriter with 10+ years of communications experience in diverse mediums and fields, including tenure at the US Postal Service and Amazon Ads. She's passionate about using fundamental communications theory to effectively empower audiences through educational cybersecurity content.
Tags: Executive Protection