✏️ Edit PDFs free in your browser — no signup needed. Try OnlyDocs →
Learn more about OnlyDocs PDF Editor and our Business API.

OnlyDocs Blog

Free PDF Editor →

How to Redact Sensitive Information in a PDF

Cover Image for How to Redact Sensitive Information in a PDF
OnlyDocs Team
OnlyDocs Team

Here's something that ruins people's day more often than you'd think: they "redact" a PDF by drawing a black rectangle over Social Security numbers, bank accounts, or legal details. They send it off feeling secure. Then someone on the other end selects the text underneath, copies it, and reads everything that was supposedly hidden.

This happens to law firms, government agencies, and Fortune 500 companies. It happened to the TSA when their airport screening procedures leaked through a poorly redacted PDF in 2009. It happened to a federal court when sealed information was recoverable under black boxes in a filing. If professionals with legal teams get this wrong, it's worth understanding what actual redaction means before you do it yourself.

Real redaction doesn't just cover text — it destroys it. The data is gone from the file entirely. No copy-paste tricks, no metadata digging, no forensic recovery. That's the standard you need, and this guide will get you there.

✏️ Edit your PDF for free — no signup required

Fill forms, add signatures, merge files, and more — right in your browser.

Open Free Editor →

The Difference Between Hiding and Redacting

This is where most people trip up, so let's be clear about it.

Hiding means placing a visual element (a black box, a colored shape, white text on white background) over content. The underlying data stays in the file. Anyone with a basic PDF reader can select the "hidden" text, copy it, or find it through a text search. Some people even use highlighter tools set to black — which is essentially transparent to the file structure.

Redacting means permanently removing the content from the PDF's data layer. After proper redaction, the text doesn't exist in the file anymore. There's nothing to select, nothing to search, nothing to extract. The redacted area is replaced with a flat visual mark (usually a black bar), and the original content is stripped from the document stream.

The visual result looks the same — a black bar over text. But what's happening inside the file is completely different. One is a costume. The other is surgery.

What You Should Redact (and What People Forget)

Most people remember to redact the obvious stuff: Social Security numbers, credit card numbers, passwords. But PDFs hold more data than what's visible on the page.

Visible content to redact:

  • Names, addresses, phone numbers, email addresses
  • Financial information (account numbers, routing numbers, balances)
  • Government IDs (SSN, passport numbers, driver's license)
  • Medical information (diagnoses, prescriptions, patient IDs)
  • Legal case details that should remain sealed
  • Signatures and handwritten notes

Hidden data most people miss:

  • Document metadata — author name, creation date, software used, company name, revision history. Open any PDF's properties and you'll see fields like "Author: John Smith, Acme Corp." That metadata travels with the file.
  • Embedded comments and annotations — notes, tracked changes, or review comments that aren't visible in the printed view but exist in the file.
  • Bookmarks and links — internal bookmarks might reference confidential section titles.
  • Layer data — some PDFs have hidden layers (common in architectural drawings and design files) containing information not visible in the default view.
  • Form field data — even if a form looks blank, previous entries can persist in the file's data structure.

A proper redaction workflow addresses both the visible content and the metadata. Otherwise you're locking the front door while leaving the windows open.

How to Redact a PDF the Right Way

Method 1: Using a Dedicated Redaction Tool

The safest approach is a PDF editor with a real redaction feature — not just a drawing tool, but one that actually strips data from the file.

Here's the general workflow, regardless of which tool you use:

  1. Open your PDF in an editor that supports true redaction
  2. Mark the areas you want to redact — select text passages, draw boxes over images, highlight regions
  3. Review your marks before applying — most tools show redaction marks as red outlines or highlighted areas at this stage, so you can double-check
  4. Apply the redaction — this is the irreversible step where the tool permanently removes the underlying data
  5. Clean metadata — remove document properties, comments, hidden layers, and form data
  6. Save as a new file — never overwrite the original, in case you need the unredacted version later

The key step people skip is #5. Redacting visible text but leaving metadata intact is like shredding a letter but leaving the envelope with the return address.

Method 2: The Print-to-PDF Workaround

If you don't have access to a redaction tool, there's a low-tech method that actually works reasonably well:

  1. Open the PDF and place black shapes over sensitive content using any editor — even a basic one works for this
  2. Print the document to a new PDF using your system's "Print to PDF" function
  3. The print process flattens everything into a single image layer, eliminating the separate text data underneath your shapes

This works because printing rasterizes the page. The text layer is gone — it's just pixels now. However, this method has trade-offs: the output file will be larger, text won't be searchable anymore, and the quality may drop slightly. It also doesn't clean metadata unless you manually strip it afterward.

For one-off personal documents, this is fine. For legal, medical, or regulatory compliance, use a proper tool.

Method 3: Online PDF Redaction

Several online tools offer redaction features. OnlyDocs lets you edit PDFs directly in your browser — you can add shapes and annotations to cover content, then export as a flattened PDF. For quick jobs where you need to obscure information and share a document, this gets the job done without installing anything.

The advantage of browser-based tools is speed. Upload, mark, export. No software to configure, no learning curve. For documents that aren't subject to strict compliance requirements (like internal notes or personal records), online editors are the practical choice.

Common Redaction Mistakes That Leak Data

These aren't hypothetical. Every one of these has caused a real data breach:

1. Using a highlighter set to black. Highlight tools change text color or add a transparent overlay. The text is completely intact underneath. This is the most common mistake, and it's embarrasingly easy to undo — just select-all and copy.

2. Placing a text box with a black background over content. Same problem. The original text sits behind the box in the PDF structure. Move the box in an editor and everything is visible.

3. Changing font color to white. The text is still there. Select all, change color to black, and it reappears. This one gets people in legal proceedings more often than you'd expect.

4. Cropping the page. PDF cropping doesn't delete content outside the crop boundary — it just hides it from view. Adjust the crop region and the "removed" content comes right back.

5. Forgetting about OCR text layers. Scanned documents often have an invisible OCR text layer for searchability. You might redact the visible scan, but the OCR text layer still contains every word. Both layers need to be addressed.

6. Skipping the metadata. You redact every name in the document body but leave "Author: Jane Doe, Legal Department" in the file properties. Metadata is data too.

Redaction for Compliance: What the Law Actually Requires

If you're redacting documents for legal, medical, or regulatory reasons, the standard is higher than "it looks blacked out."

HIPAA (healthcare) requires that protected health information be rendered "unusable, unreadable, or indecipherable" to unauthorized individuals. A black box you can copy text from doesn't meet this standard. The HHS has specifically noted that visual covering alone is insufficient — the data must be removed from the file.

GDPR (EU data protection) gives individuals the "right to erasure." If someone requests deletion of their data from your documents, covering it with a shape isn't erasure. The data needs to be actually gone.

Court filings with sealed information must be properly redacted before public filing. The Federal Judiciary's CM/ECF system has published guidelines (updated 2023) specifying that redaction must remove data, not merely obscure it. Multiple cases have been compromised by inadequate PDF redaction.

FOIA responses from government agencies use redaction extensively. The standard is that redacted material must not be recoverable by any means from the released document.

The common thread: regulators and courts define redaction as removal, not concealment. If the data can be recovered from the file by any technical means, it hasn't been properly redacted.

A Quick Pre-Send Checklist

Before you share a redacted PDF, run through this:

  • Open the redacted file in a different PDF reader than the one you used to redact
  • Try selecting text in the redacted areas — if you can highlight anything, the redaction failed
  • Use Ctrl+F (or Cmd+F) to search for specific terms you redacted — names, numbers, keywords
  • Check document properties for author name, company, and revision history
  • Look for comments, annotations, or bookmarks you didn't intend to include
  • If the document has form fields, verify they're empty or removed
  • Confirm the file size makes sense — a properly redacted file is sometimes smaller because data was removed

This takes about 90 seconds and could save you from a very bad phone call.

Frequently Asked Questions

Can redacted information be recovered from a properly redacted PDF?

No — if the redaction was done correctly using a tool that removes the underlying data, the information is permanently gone. There's no forensic technique that can recover properly redacted content because the data is stripped from the file structure entirely. This is different from visual covering, where the data still exists and is trivially recoverable.

Is drawing a black box over text in a PDF considered redaction?

It is not. Drawing a shape over text in a PDF only adds a visual layer on top of the existing content. The text remains in the file and can be selected, copied, or found with a search function. True redaction requires a tool that removes the data from the PDF's content stream, not just hides it from view.

Do I need expensive software to redact a PDF?

Not necessarily. While Adobe Acrobat Pro has a dedicated redaction tool (around $20/month), there are free alternatives. The print-to-PDF method works for personal use, and browser-based tools like OnlyDocs can handle basic redaction tasks. For compliance-sensitive work (legal, medical, government), investing in a proper redaction tool is worth the cost to avoid liability.

Wrapping Up

PDF redaction is one of those things that looks simple but has real consequences when done wrong. The difference between a black rectangle sitting on top of text and actual data removal is the difference between privacy and a breach.

For personal documents, the print-to-PDF method or a free online tool will get the job done. For anything involving compliance, legal requirements, or genuinely sensitive data, use a tool with real redaction capabilities and always clean the metadata.

And before you hit send — take 90 seconds to verify. Open the file fresh, try to select text in the redacted areas, search for terms that should be gone. It's a small habit that prevents big problems.

Need to edit or prepare a PDF before redacting? OnlyDocs lets you annotate, fill forms, and export PDFs right in your browser — no software required.

✏️ Try OnlyDocs Free — Edit, sign, and merge PDFs right in your browser. No signup required.

Open Editor →