In 2021, the New York Police Department filed a civil case and accidentally included a redacted court document — redacted by drawing black rectangles over text in Microsoft Word, then converting to PDF. The text underneath was still selectable. Journalists extracted it in seconds. The department had assumed redaction meant the information was gone. It wasn't.
That's the gap this article is about. Redaction and metadata removal are both "privacy operations" on a document, but they target completely different layers of the same file. Confusing them — or doing only one — is how sensitive information leaks even from documents that look cleaned up.
What redaction actually does
Redaction removes or obscures visible content in a document. Names, account numbers, addresses, signatures, dates of birth — anything you can read on the page. Done correctly, the underlying text or image data is permanently destroyed, not just hidden.
That last part matters. There are two very different things people call "redaction":
Black box redaction (dangerous)
A rectangle drawn on top of text. The text is still in the file — it's just covered. Copy-paste, text extraction tools, or some PDF readers can recover it instantly.
True redaction (safe)
The underlying text or image data is permanently deleted from the file structure. Nothing can recover it because it no longer exists in the document.
FileIntel's PDF Redactor uses the second approach — pdf-lib draws the redaction rectangle and then removes the underlying content from the page stream, not just covers it.
Adobe Acrobat's "black highlight" tool does not redact. It draws a black box on top. The text remains. Only Acrobat's dedicated Redact tool (under Tools → Redact) permanently removes content. Many people use the wrong one.
What metadata removal actually does
Metadata removal strips the hidden data layer embedded in the file itself. This has nothing to do with what you see on the page. A fully blank document still has metadata. A heavily redacted document still has metadata.
PDF metadata fields include:
| Field | What it contains | Risk if exposed |
|---|---|---|
Author | Full name of the person who created the file | High |
Creator | Software used to create it (Word, InDesign, etc.) | Medium |
Manager | Manager name from Office org chart data | High |
Company | Organisation name from Office profile | Medium |
ModDate | Last modification timestamp | Low |
Producer | PDF conversion tool (can reveal internal software stack) | Medium |
Keywords | Internal classification tags added by author | High |
Beyond the standard Info dictionary, PDFs also carry an XMP stream — an XML block that can contain an extended version of all these fields, plus revision history, embedded thumbnail images, and in some cases comment data. Stripping the Info dictionary but leaving the XMP stream intact is a common partial-cleaning mistake.
FileIntel's PDF Metadata Remover handles all three layers: Info dictionary setters, direct dictionary deletion, and XMP stream removal. See our guide to what PDF metadata actually is for the full breakdown.
Strip metadata from your PDF now
No upload. No account. Runs entirely in your browser.
The actual difference, clearly
Here's the simplest way to frame it:
Redaction protects what's on the page. Metadata removal protects what's about the file. They operate on different layers and neither one covers the other.
A document can be perfectly redacted — no visible sensitive content — and still leak the author's full name, their manager, their company, the internal software used, and when the file was last edited. That's an intelligence profile built entirely from metadata, with zero content visible.
Conversely, a document with clean metadata can still contain visible personal data that was missed in redaction review. Both operations are necessary. They're not alternatives to each other.
When you need both — and when you need just one
| Scenario | Redaction needed? | Metadata removal needed? |
|---|---|---|
| Legal filing with client names | Yes | Yes |
| FOIA response with exempt sections | Yes | Yes |
| Report sent to external client (no sensitive content) | No | Yes — author/company data still present |
| Internal document shared between departments | Maybe | Unlikely unless crossing org boundaries |
| Press release or public statement | No | Yes — internal author names often irrelevant |
| Employment records shared with third parties | Yes | Yes |
| Contract sent to counterparty | Probably not | Yes — drafter's identity may be confidential |
How to sanitize a PDF completely
The correct order matters. Always redact first, then strip metadata. If you strip metadata first and then open the document again in Word or Acrobat to add redaction marks, the software will write a fresh set of metadata — including your name and timestamp — when you save.
Review the document for visible sensitive content
Names, addresses, signatures, account numbers, dates of birth, medical details, legal references you want excluded.
Apply true redaction — not black boxes
Use a tool that deletes the underlying content from the page stream. FileIntel's PDF Redactor, Adobe's Redact tool, or the exiftool + qpdf command-line approach for technical users.
Strip metadata from the redacted file
Run the output through a metadata remover. Don't reopen the file in authoring software between steps — that re-stamps metadata.
Verify both operations
Try to select and copy text from redacted areas. Open metadata properties — Author, Creator, Manager, Keywords should all be empty. Check for an XMP stream if you have access to a hex editor or ExifTool.
Checking with ExifTool (command line)
If you want to verify metadata removal programmatically before distributing a document:
$ exiftool your-document.pdf
# Fields to check — all should be empty or absent:
Author : [should be blank]
Creator : [should be blank]
Manager : [should be blank]
Keywords : [should be blank]
# Strip everything in one command if needed:
$ exiftool -all= your-document.pdf
Compliance implications
Under GDPR Article 4(1), personal data means any information relating to an identified or identifiable natural person. An author's full name in a PDF metadata field is personal data. Sharing that document without stripping the field may constitute a personal data transfer without a lawful basis — particularly if the recipient is in a different organisation or jurisdiction.
The ICO's guidance on privacy by design explicitly calls out unnecessary data minimisation failures — sharing more personal data than required for the purpose. Metadata that serves no function in the distributed document should be removed before distribution. That applies to legal filings, procurement documents, correspondence, and HR records alike.
See our full GDPR and PDF metadata guide for the regulatory breakdown in detail.
In 2003, the UK government published a dossier on Iraq's weapons capabilities as a PDF. Metadata revealed it had been edited by a Number 10 communications official — and showed the document had been copied from an academic paper without attribution. The metadata told a story the visible document didn't. It became a significant political incident.
Remove metadata before you share
Free, private, instant. Nothing leaves your device.
Frequently asked
This article discusses document privacy practices for general informational purposes. It is not legal advice. For compliance requirements specific to your jurisdiction or sector, consult a qualified legal professional.