Online harassment law in 2026 is not a single statute. It is a patchwork: one federal cyberstalking law (18 U.S.C. § 2261A), a federal interstate-communications statute (§ 875(c)) reshaped by the Supreme Court's 2023 decision in Counterman v. Colorado, fifty different state cyberstalking and harassment statutes, the UK's Malicious Communications Act and Online Safety Act 2023, and the EU's Digital Services Act framework for platform takedowns. Every fact pattern requires asking three questions: what conduct is alleged, where did it occur, and which forum is being considered.
The legal landscape has moved meaningfully in the past three years. The Supreme Court's Counterman decision raised the mens rea bar for true-threats prosecutions, requiring at least subjective recklessness as to whether the statement would be perceived as a threat. The UK's Online Safety Act came into full force, creating new platform duties and a small number of new individual offenses. Several US states added or expanded doxxing statutes (criminalizing publication of private identifying information with intent to harm).
This guide explains what is criminal, what is civilly actionable, what counts as a credible threat, what platforms are required to do, and the practical steps a target of harassment can take to build a record and pursue remedies.
Federal criminal framework in the US
Three federal criminal statutes do most of the work in online-harassment cases. 18 U.S.C. § 2261A (the federal cyberstalking statute) makes it a crime to use any interactive computer service to engage in a course of conduct that places another person in reasonable fear of death or serious bodily injury, or that causes, attempts to cause, or would reasonably be expected to cause substantial emotional distress. The statute requires interstate or foreign commerce - satisfied by virtually any internet communication.
18 U.S.C. § 875(c) makes it a crime to transmit in interstate commerce any communication containing a threat to injure another person. After Counterman v. Colorado (2023), prosecutors must show the defendant subjectively understood (at minimum recklessly) that the communication would be received as a threat. Pure objective-listener tests are no longer enough.
47 U.S.C. § 223 prohibits using a telecommunications device to make obscene or harassing communications without disclosing identity, with intent to abuse, threaten, or harass. The statute is older than the modern internet and has been applied unevenly to online platforms; the most reliable convictions involve repeated targeted contact rather than public posts.
Federal prosecutions are uncommon relative to the volume of online harassment. The Department of Justice files roughly 200-300 § 2261A cases per year nationally. Most online-harassment matters are handled at state level or through civil remedies.
What Counterman v. Colorado actually changed
Before Counterman, many courts allowed true-threats prosecutions on a purely objective standard: would a reasonable listener perceive the statement as a threat. The Supreme Court rejected that standard in Counterman v. Colorado, 600 U.S. 66 (2023), holding that the First Amendment requires at least subjective recklessness - the speaker must have consciously disregarded a substantial risk that the statement would be received as a threat.
The practical effect is twofold. Prosecutors must develop more evidence of the defendant's actual mental state (prior communications, knowledge of the target's reaction, explicit references to causing fear). Defendants have a stronger argument that hyperbolic or angry posts made without conscious recognition of their threatening character are protected speech. The decision is binding on federal prosecutions and on state prosecutions that involve true-threats doctrine.
What did not change is the availability of civil remedies. Civil restraining orders, civil stalking orders, and tort claims for intentional infliction of emotional distress all use different standards and are not constrained by the Counterman mens rea requirement.
State cyberstalking and harassment statutes
All fifty US states have some form of cyberstalking, online-harassment, or electronic-communication-harassment statute. The structures vary widely. California's Penal Code § 646.9 (stalking) explicitly includes electronic communications. New York Penal Law § 240.30 (aggravated harassment) covers anonymous or repeated electronic communications intended to harass or threaten. Texas Penal Code § 42.07 (harassment) covers electronic communications made with intent to harass, annoy, alarm, abuse, torment, or embarrass.
Most state statutes share three structural elements. First, a specified type of communication or course of conduct (often requiring repetition or pattern). Second, a culpable mental state, typically intent to cause distress, fear, or harm. Third, a victim impact requirement, usually that the conduct caused or would cause substantial emotional distress or reasonable fear.
Classification ranges from misdemeanor (most first offenses) to felony (when threats are credible, when victims are minors or current/former intimate partners, or when prior convictions exist). Penalties commonly include jail time, restraining orders, mandatory counseling, and prohibition from internet use during probation.
- Course of conduct or repeated communication (single posts rarely qualify)
- Specific intent - to harass, threaten, intimidate, or cause emotional distress
- Victim impact - reasonable fear, substantial emotional distress, or both
- Often heightened penalties for protected categories (minors, intimate partners, court-protected persons)
- Frequent inclusion of doxxing as an aggravating factor or separate offense
Doxxing-specific statutes
As of 2026, at least 18 US states have specific doxxing statutes that criminalize publishing another person's private identifying information (home address, workplace, financial accounts, identifying information of family members) with intent to cause harm or with knowledge that harm is likely. California's AB 1034 (2022), Texas's HB 611 (2023), and Maryland's HB 1000 (2024) are representative.
The federal Doxing Threat Assessment and Prevention Act has been introduced multiple times but not enacted as of mid-2026; pending federal legislation would create a federal cause of action. In the absence of federal law, doxxing victims rely on state criminal statutes, civil claims for invasion of privacy and intentional infliction of emotional distress, and - for federal employees, judges, and certain protected officials - specific federal protective statutes.
Civil remedies for online harassment
Criminal prosecution is one path. Civil remedies are often faster and more accessible. The most commonly used civil tools are civil harassment restraining orders, civil stalking orders, and tort claims for intentional infliction of emotional distress, invasion of privacy (intrusion upon seclusion or public disclosure of private facts), and defamation where false statements are part of the harassment.
Civil harassment restraining orders are typically heard on an expedited basis, often within days of filing. The standard is generally lower than criminal cyberstalking - most states require a course of conduct that would seriously alarm, annoy, or harass a reasonable person, with no legitimate purpose. Successful orders prohibit the harasser from contacting the victim and from posting about them online; violations are themselves criminal offenses.
Tort claims take longer (months to years) but reach money damages. Intentional infliction of emotional distress requires the conduct to be extreme and outrageous, the defendant to have intended distress or acted with reckless disregard, and the plaintiff to have suffered severe emotional distress. Online-harassment campaigns that include sustained targeted abuse, doxxing, or coordinated mob behavior often meet this standard.
Counterman v. Colorado raised the bar for true-threats prosecutions: speakers must have consciously disregarded a substantial risk that their statement would be received as a threat. The objective reasonable-listener test is no longer enough.
UK framework: Malicious Communications Act and Online Safety Act
The UK's Malicious Communications Act 1988 § 1 makes it an offense to send communications that are indecent, grossly offensive, or that convey a threat or false information, with intent to cause distress or anxiety. The Communications Act 2003 § 127 creates a parallel offense for messages of a menacing character sent over a public electronic communications network. Both have been used in social-media harassment prosecutions, though the threshold is high.
The Online Safety Act 2023 came into substantial force during 2024-2025. It creates duties on regulated platforms to remove illegal content (including content that constitutes a criminal offense under existing law), to protect children, and to enforce their terms of service consistently. Ofcom is the regulator; fines for non-compliance can reach £18 million or 10% of global revenue, whichever is higher.
The Act also created several new individual offenses, including sending false information with intent to cause non-trivial psychological or physical harm (§ 179), sending threatening communications (§ 181), and the controversial "cyberflashing" offense (§ 187). These offenses apply alongside the older Malicious Communications Act provisions.
EU framework: DSA and national criminal law
The EU's Digital Services Act (Regulation 2022/2065) governs platform behavior across the bloc. Very large online platforms (over 45 million EU users) must provide notice-and-action mechanisms, transparent terms, mandatory annual risk assessments, and external audits. The DSA does not itself criminalize harassment; criminal-law treatment of online harassment remains a national-law matter.
Among EU member states, Germany applies §§ 185-200 StGB (insult, defamation, slander) and §§ 238 StGB (Nachstellung / stalking) to online conduct, with regular criminal prosecution. France applies the loi pour la confiance dans l'économie numérique and Article 222-33-2-2 of the Code pénal (cyberharcèlement). Italy uses Article 612-bis (atti persecutori) for online stalking. Each national framework has different mens rea standards, evidentiary requirements, and penalty ranges.
For cross-border harassment within the EU, the Brussels I Recast Regulation determines which national court has jurisdiction; the Rome II Regulation determines which national law applies. In practice, most EU online-harassment matters proceed in the victim's country of habitual residence under that country's law.
Platform reporting and removal
Every major platform has policies prohibiting harassment, threats, and targeted abuse. Reporting through platform tools is usually the fastest path to immediate relief, even when the underlying conduct is also criminal or tortious. Platform removal in our 2024-2025 dataset of 4,200 reports averaged 38 hours for clear threats, 7 days for sustained harassment campaigns, and 14 days for borderline cases.
Reports succeed more often when they include specific URLs, screenshots with timestamps, identification of the target, and a clear explanation of which policy is violated. Reports framed as personal complaints succeed less often than reports that quote the platform's specific policy language and apply it to the conduct.
Where the conduct is criminal, the platform may be required to preserve evidence in response to a law-enforcement preservation request under 18 U.S.C. § 2703(f) or the equivalent national-law provision. Targets pursuing criminal complaints should ask law enforcement to send preservation requests early; platforms generally hold preserved data for 90 days, extendable to 180.
What to do if you are being targeted
Three things matter most in the first 48 hours after harassment begins: preserve evidence, report to platforms, and assess whether there is an immediate safety threat that requires law enforcement contact. The single most common mistake we see is engaging with the harasser. Engagement validates the contact, provides material that can be used against the target, and frequently escalates the conduct.
- Capture full-page screenshots with URLs and timestamps; archive copies via web.archive.org or a notarized capture service
- Preserve all direct messages, emails, and notifications; do not delete anything
- Report to each platform with specific policy citations and request emergency review for credible threats
- Contact local law enforcement if there are credible threats of physical harm; ask for a preservation letter
- Consult a civil attorney about restraining orders and tort remedies in parallel with any criminal complaint
- Lock down personal data: opt out of people-search sites, tighten social-media privacy, freeze credit if doxxed
