Redacting Documents for FOIA, CCPA, and Public Records Requests

Two routes to the same problem

Federal Freedom of Information Act (FOIA) requests require federal agencies to release records they hold, subject to specific exemptions. Agencies are generally expected to respond within 20 working days of receipt. State-level equivalents - often called public records laws or sunshine laws - apply to state and local government bodies with varying deadlines and exemption frameworks. If you work for a state agency, your state's specific public records law governs, not FOIA.

Data subject access requests under the California Consumer Privacy Act (CCPA) and similar state privacy laws give individuals the right to access personal information a business holds about them. Under CCPA, businesses have 45 days to respond, with a possible 45-day extension. For organizations handling health information, HIPAA's right of access gives individuals the right to access their medical records, with a 30-day response standard (extendable to 60 days in limited circumstances). Organizations that handle EU resident data may also be subject to GDPR.

The redaction challenge is the same regardless of which framework applies. You need to identify what must be removed, remove it permanently, and verify the removal before documents are released. The deadline does not flex because the document volume is larger than expected.

Scoping the request before you start

For FOIA and state records requests, scope is determined by the information a public body holds responsive to the specific request. Gather all responsive records into a review set before redacting. For CCPA access requests, scope covers all personal information the business has collected about the consumer across all systems.

Requests can often be clarified before you begin. Many agencies and organizations contact requesters to confirm the scope, particularly where a broad or ambiguous request would require reviewing large volumes of records. Document any clarification and keep it on file.

What to redact: a working checklist

Work through every document systematically. You're looking for three categories of content to remove.

Third-party personal information. Names, contact details, Social Security numbers, and any information that could identify someone other than the requester. Under FOIA, personal information about federal employees and third parties is typically exempt from disclosure. State laws vary, but most protect identifying information of private individuals.

Exempt information. FOIA's nine exemptions cover national security, internal agency rules, statutorily protected information, trade secrets, internal agency communications, personal privacy, law enforcement, financial institutions, and geological data. CCPA exemptions include HIPAA-protected health information, certain financial data governed by Gramm-Leach-Bliley, employment-related information in some circumstances, and publicly available information. Each exemption should be applied narrowly and documented.

Sensitive personal identifiers. Social Security numbers, driver's license numbers, financial account numbers, and health information warrant particular care. Many states have specific laws governing redaction of these identifiers from public records, separate from general privacy protections.

Practical approach: run automated PII detection across the full document set first, then review manually for contextual identifiers and exempt information that automated tools won't flag.

Applying exemptions correctly

Exemptions are not a blanket withholding tool. Each one should be documented, and you should be prepared to justify it if the requester appeals or files a lawsuit. Courts take a narrow view of FOIA exemptions: where information can be released with portions redacted, the Vaughn index approach requires agencies to describe each withheld item and the specific exemption applied. State laws often impose similar requirements.

Deliberative process privilege (FOIA Exemption 5) is frequently invoked and frequently litigated. It covers pre-decisional, deliberative communications - drafts, recommendations, internal debate - but not factual material. Courts have consistently held that factual content cannot be withheld under this exemption even when embedded in a deliberative document. Redact the deliberative portions; release the facts.

When you withhold information under an exemption, tell the requester. State the exemption claimed and, where required, provide a brief description of the withheld material. Agencies subject to FOIA are required to provide a Vaughn index or equivalent documentation upon request.

Workflow from receipt to disclosure

A consistent five-stage process reduces the risk of errors under deadline pressure.

Stage 1 - Gather. Collect all responsive records from every relevant system into a single review set. Convert non-PDF formats to PDF before redaction to avoid leaving data in revision history, comments, or hidden fields.

Stage 2 - Detect. Run automated PII detection across the full document set. RedactProof processes documents in your browser - files do not leave your device - and flags 40+ types of personal information including Social Security numbers, dates of birth, financial identifiers, and health information.

Stage 3 - Review. A human reviewer examines detection output and marks additional content: exempt deliberative material, attorney-client privileged communications, trade secrets, law enforcement sensitive information. Document each exemption claimed.

Stage 4 - Redact. Apply redactions using pixel-burn, not overlay. Overlay redaction is reversible. Pixel-burn converts the document page to an image and permanently destroys the text layer underneath. This is the only approach that prevents recovery of redacted content.

Stage 5 - Verify. Before releasing any document, test the output file. Search for strings you know were redacted. Try to select text in redacted areas. Include verification certificates where your tool supports them.

Scanned documents and mixed formats

Real disclosure packages rarely arrive as clean, text-searchable PDFs. Expect scanned letters, documents with track changes, spreadsheets with personal data in unexpected cells, and email exports. Scanned documents need OCR before automated detection can operate on the text layer.

For email records, export as PDF rather than forwarding. Forwarding carries metadata - message headers, routing information - that adds disclosure risk. A flat PDF is cleaner and easier to redact consistently.

Verification and your audit trail

A verification certificate provides cryptographic evidence that a document was redacted at a specific time and has not been modified since. This matters in FOIA litigation, where agencies may need to demonstrate that records were not altered after the initial response. RedactProof generates Ed25519-signed certificates automatically, with QR-code-enabled offline verification.

Maintain an internal redaction log separate from the disclosure package. Note which documents were reviewed, what was withheld under which exemption, and who signed off. This record stays inside your organization and is your compliance documentation if the response is challenged.

HR teams handling recurring access requests may find our guide to document redaction for HR teams useful for building a repeatable process.

What to include with the disclosure

For CCPA access requests, the response should cover all personal information collected, the categories of sources, business or commercial purposes for collection and sharing, and categories of third parties with whom the information is shared. The CCPA requires this information to be provided in a readily usable format.

For FOIA and state records responses, include documentation of any exemptions claimed. Requesters have the right to appeal redaction decisions, and clear upfront documentation of the legal basis for each withholding reduces the likelihood of a successful appeal or litigation.

Deliver securely. The disclosure package contains personal information and is subject to the same data protection standards as any other sensitive record in transit.