PDF redaction mistakes have cost organisations millions. The NSA, the UK government, and major law firms have all accidentally leaked classified or privileged information by drawing boxes over text rather than truly removing it. This guide explains the right way to redact a PDF and what the law actually requires.
Why Proper Redaction Matters
A PDF is not simply a picture of a page. It is a structured file containing layers of data: text streams, fonts, embedded images, annotations, form fields, and metadata. When you place a black rectangle on top of text, the original text remains in the file in those underlying layers. Anyone who:
- opens the file in a text editor and searches for patterns
- copies the “blacked out” area and pastes it elsewhere
- removes the annotation layer using a PDF tool
- examines the raw PDF bytes with a hex editor
…can recover the “hidden” text. True redaction removes the content from the file structure entirely, making recovery impossible.
What Each Regulation Requires
GDPR (EU)
- Right to erasure — personal data must be irreversibly removed
- Court documents and HR files shared externally must redact all non-relevant personal identifiers
- Retention of original unredacted copy must follow a lawful basis
HIPAA (US Healthcare)
- Protected Health Information (PHI) must be de-identified before sharing
- 18 specific identifiers must be removed: name, dates, location codes, contact info, SSN, and more
- Safe Harbor method requires removal of all 18 identifiers; Expert Determination requires statistical verification
FOIA (US Federal)
- Nine exemption categories allow agencies to redact: national security, internal rules, trade secrets, personal privacy, law enforcement, etc.
- Segregable portions must be released — only exempt information may be redacted
- Agencies must log what was redacted and cite the exemption
Court & Legal Proceedings
- FRCP Rule 5.2 (US Federal): redact SSNs to last 4 digits, financial accounts to last 4 digits, DOB to year only, minor names to initials
- Many jurisdictions require redaction of home addresses and phone numbers
- Privilege log must itemise redacted privileged communications
Step-by-Step: Redact a PDF with EditoraPDF
Open the Redact PDF tool
Navigate to EditoraPDF → Redact PDF and upload your file. No data leaves your browser.
Select the areas to redact
Click and drag to draw redaction boxes over each piece of text, image, or area that must be removed. You can add multiple boxes across multiple pages.
Apply the redaction
Click "Apply Redactions". EditoraPDF permanently removes the underlying content from the PDF data structure and replaces it with a solid filled rectangle — not just a visual overlay.
Sanitize metadata (recommended)
After redacting, run the file through Sanitize PDF to strip document metadata (author, creation date, tracked changes, embedded thumbnails) that might reveal information about the original content.
Verify the result
Open the downloaded PDF, try to select the redacted areas and press Ctrl+C. You should not be able to copy any text. Search (Ctrl+F) for the redacted terms — they should not be found.
Document the redactions
For compliance purposes, maintain a log of what was redacted, the reason (regulation or exemption category), and the date. This is required under FOIA and strongly recommended for HIPAA and GDPR.
Common Redaction Mistakes to Avoid
Black rectangle overlay without burning in
Text remains in the file. Anyone can remove the box to reveal it.
Redacting in Word then exporting to PDF
The "deleted" text may be recoverable from tracked changes or the file's undo history that gets embedded in the PDF.
Forgetting document metadata
Author names, revision history, and comments in the PDF metadata may reveal what was redacted or who created the document.
Redacting only visible pages
PDFs can contain hidden layers, annotations, and embedded objects on non-visible layers that also need to be checked.
Using low-contrast marks
Dark grey on black may not provide sufficient contrast in print. Use solid black fills.
Not keeping the unredacted original
Legal workflows often require retaining the unredacted version in a secure location for audit purposes.
Frequently Asked Questions
What is the difference between redaction and covering text with a black box?+
Covering text with a box hides it visually but leaves it in the file data. True redaction removes the underlying content permanently from the PDF structure.
Is redacting a PDF online safe for confidential legal documents?+
Only if the tool processes files locally. EditoraPDF runs entirely in your browser — your file never reaches any server, making it safe for privileged or confidential documents.
Does EditoraPDF permanently remove the text?+
Yes. The Redact PDF tool removes underlying content from the PDF data structure, not just overlays a mark. The redacted text cannot be recovered by selecting, copying, or searching.
What regulations require PDF redaction?+
GDPR, HIPAA, FOIA, and court filing rules (such as FRCP Rule 5.2 in the US) all require proper redaction of personal, privileged, or exempt information before sharing documents.
Ready to Redact Properly?
Use EditoraPDF's free Redact tool — all processing happens locally in your browser, so your confidential documents stay confidential.
Open Redact PDF ToolFree · No signup · No server uploads