The short answer: under Oregon’s 2026 privacy reforms, most forms of doxxing are illegal, either as a violation of the Oregon Privacy Act or as a crime under the state’s updated harassment statutes. The new law expands the definition of “personal identifying information” and creates both civil and criminal penalties for anyone who disseminates such data without consent, except in narrowly defined journalistic or law‑enforcement contexts.
What the 2026 Oregon Privacy Act Introduces
The Oregon Privacy Act (OPA) of 2026 (ORS § 163.540) redefines personal identifying information (PII) to include full name, home address, phone number, email, social‑media handles, and any biometric data linked to an individual. The act obligates data collectors to obtain explicit consent before sharing PII with third parties and imposes a statutory fine of up to $5,000 per violation for non‑business actors.
How Doxxing Is Classified Under the New Law
Doxxing—publicly revealing private details about a person without permission—now falls squarely within the OPA’s prohibition on “unauthorized dissemination of PII.” Section 2(b) specifically mentions “public posting of personal data with the intent to harass, intimidate, or cause reputational harm” as a prohibited act. This language aligns doxxing with the broader category of privacy violations, making it actionable even when the perpetrator is not a commercial entity.
Criminal and Civil Penalties
- Criminal: The revised Oregon Revised Statutes § 163.575 creates a Class A misdemeanor for intentional doxxing that results in threats, stalking, or physical harm, punishable by up to one year in jail and a $6,250 fine.
- Civil: Victims can pursue statutory damages of $2,500 to $10,000 per incident, plus attorney’s fees, under ORS § 163.540(3). Courts may also issue injunctions to force removal of the disclosed information from online platforms.
Defenses and Safe Harbors
The OPA provides limited defenses for journalists, researchers, and law‑enforcement officers who disclose PII in the course of a bona fide public‑interest investigation, provided they follow a documented verification process (ORS § 163.540(4)). Good‑faith reliance on publicly available sources does not automatically shield a doxxer; intent to harass remains a crucial factor.
Practical Guidance for Individuals and Organizations
- Audit Data Practices – Review any collection of PII to ensure consent mechanisms meet OPA standards.
- Implement Access Controls – Restrict who can view or export sensitive data within your organization.
- Monitor Online Channels – Use automated alerts to detect the appearance of employee or client PII on public sites.
- Educate Stakeholders – Conduct regular training on the legal risks of sharing personal details.
- Respond Rapidly – If doxxing occurs, document the incident, issue takedown requests, and consider filing a civil claim under the OPA.
Can a victim sue for emotional distress caused by doxxing?
Yes. The OPA’s civil provision expressly allows claims for emotional distress when the unauthorized release of PII leads to mental anguish, with damages capped at $10,000 per violation.
Does the law apply to anonymous internet users?
The statutes do not require the perpetrator’s identity to be known at the time of filing; investigators can subpoena IP logs, platform records, and payment information to reveal the actor.
Are there any exceptions for public figures?
Public figures enjoy a reduced expectation of privacy, but the OPA still protects non‑public personal details (e.g., home address, private phone number). Publishing such data without consent remains actionable.
What constitutes “intent to harass” under the new statute?
The law looks at communications accompanying the disclosure, patterns of repeated sharing, and any direct threats. Even without explicit threats, a clear motive to intimidate satisfies the intent requirement.
How does Oregon’s law compare to federal protections?
Federal statutes like the Computer Fraud and Abuse Act address unauthorized access but do not cover consensual sharing of publicly sourced PII. Oregon’s OPA fills that gap, providing a state‑level cause of action that is more expansive and victim‑focused.