ID Card Copy: Watermark It Without Overexposing

Executive summary: Sending an ID card copy is still common (rental, bank, telecom, admin requests), but it is also a frequent source of risk. The goal is not to refuse everything, but to reduce exposure: verify legitimacy, minimize visible information, use contextual watermarking, redact correctly, and choose a safer delivery method. The recommendations below rely on official sources (CNIL, Service-Public, France Identite) and avoid absolute promises.

Someone asks for a copy of your ID card "just to verify"? It can be legitimate, but it is rarely trivial. A scan can circulate, be cropped, and be reused out of context. In this article, you will learn how to respond in a professional and pragmatic way: what to ask the recipient, how to use a watermark without adding too much information, how to redact safely (annotation != deletion), how to send while limiting copies, and what to do if you suspect identity misuse.

All "before / after" examples and message templates in this article are fictional and contain no real data.

When is it relevant to send a copy, and which alternatives should you request?

Before watermarking, the best risk reduction is to avoid sending a raw copy if it is not necessary. Even in legitimate situations, you can often propose a more minimized alternative or ask to limit which information actually needs to be visible.

Core principle: "prove your identity" != "always send an ID copy"

In other contexts (exercising data protection rights), CNIL reminds that in principle it is not always mandatory to systematically provide an ID card copy: the key point is to prove identity. A copy is therefore not an automatic reflex.

👉 Apply this logic to daily life: if the organization already has reliable elements (customer account, in-person exchange, strong authentication...), ask why the copy is indispensable and how long it will be kept.

6 quick questions to ask before sending a copy

  1. Who exactly are you? (company name, registration number if professional, official website, address)
  2. Why is this copy necessary (specific purpose)?
  3. Which information must remain visible (photo, name, birth date, validity...)?
  4. Who will have access to the document (team, vendor)?
  5. How long will it be kept (or deleted after verification)?
  6. How can I send it securely (restricted link, encrypted deposit, separate password channel)?

These questions help for two reasons: they discourage suspicious requests (rushed fraudsters), and they give you a clear framework to choose the right level of watermarking and redaction.

Recommended alternative: one-time-use identity proof

If you have a compatible ID card and an eligible smartphone, the France Identite app can generate a one-time identity proof (recipient, duration, purpose). It is designed as an alternative that limits the circulation of photocopies and scans.

Practical point: acceptance still depends on the recipient (not all services are used to this format yet).

Field tip: propose the alternative first before sending a scan. If it is refused, ask which information is strictly required, then move to watermark + redaction.

Anti-overexposure checklist (downloadable) + CSV

This checklist is designed to be reused before every sending of an identity document copy. Goal: reduce the attack surface, keep a trace, and avoid routine mistakes.

Box — "ID copy" checklist (reuse this)

Copy the table below into your notes tool, or use the CSV block below (UTF-8, separator ;).

The point is not to overcomplicate things, but to have a simple protocol: who, why, which visible data, what protection level, what sending proof.

Checklist (table)

Step Action Why Status
Check the context Identify the process (rental, bank, telecom, etc.) Adjust the protection level
Identify the recipient Legal name, official website, domain email, phone Avoid fake "customer support" impersonation
Ask the purpose "Why the copy? Which information must stay visible?" Minimization (do not overshare)
Propose an alternative One-time identity proof if possible Reduce scan sharing
Create a "send" version Duplicate the file (never modify the original) Keep a clean source version
Apply watermark (context) Add recipient + date + purpose Deterrence + traceability
Redact unnecessary fields Hide what is not required Reduce out-of-context reuse
Verify redaction Test copy/search; open on another device Annotation != deletion
Choose delivery method Restricted link + expiration if possible Limit distribution
Protect with password Encrypted ZIP / protected PDF if needed Secure transit
Separate channel Password via SMS/call, link by email CNIL recommendation
Keep proof Email + screenshot + date + sent version Useful in dispute/impersonation
Remove access Revoke/delete the link after use Reduce exposure over time

CSV file (UTF-8, separator ;) to copy into a file

Paste this block into a file (for example id_copy_checklist.csv) for quick tracking in a spreadsheet or notes tool.

Step;Action;Why;Status;Notes
Check_context;Identify process and risk level;Adjust watermark/redaction;To_do;
Identify_recipient;Verify legal name official site and domain email;Avoid fake support;To_do;
Ask_purpose;Ask why and which information must remain visible;Minimization;To_do;
Propose_alternative;Offer one-time identity proof when possible;Limit distribution;To_do;
Send_version;Duplicate file to create a send version;Keep original;To_do;
Watermark;Add recipient plus date plus purpose;Traceability and deterrence;To_do;
Redact;Hide non necessary fields;Reduce risks;To_do;
Verify_redaction;Test copy/search and open on another device;Annotation != deletion;To_do;
Delivery_mode;Prefer restricted link plus expiration;Limit copies;To_do;
Password;Encrypt if needed (ZIP/PDF);Secure transit;To_do;
Separate_channel;Send password through separate channel;CNIL recommendation;To_do;
Keep_proof;Archive email screenshots and sent version;Incident management;To_do;
Remove_access;Revoke link after verification;Reduce exposure;To_do;

Watermark without overexposing: simple rules + 12 ready-to-copy templates

Watermarking an ID copy mainly helps prevent out-of-context reuse (cropping, re-sharing, generic reuse) and adds a label: who received the copy, when, and for what purpose. It is not absolute protection, but it is very effective when done properly.

Golden rules (common mistakes to avoid)

  • Do not add sensitive information in the watermark (full address, document number, full customer number, etc.).
  • Prefer: recipient, date, purpose, and optionally a non-sensitive internal identifier.
  • Use a watermark that is hard to crop out: central diagonal or light repeated pattern.
  • Do not make the document unreadable: the goal is to hinder reuse, not verification.

12 watermark texts (copy/paste)

  1. COPY FOR IDENTITY VERIFICATION — [Recipient] — [DD/MM/YYYY]
  2. ONE-TIME USE — PROCESS [Purpose] — [Recipient] — [DD/MM/YYYY]
  3. CONFIDENTIAL — DO NOT SHARE — [Recipient]
  4. COPY SENT TO [Recipient] — DELETE AFTER REVIEW
  5. IDENTITY — VERIFICATION ONLY — [DD/MM/YYYY]
  6. COPY PROVIDED FOR [Purpose] — [Recipient] — [City]
  7. SENSITIVE DOCUMENT — LIMITED SHARING — [DD/MM/YYYY]
  8. COPY FOR ADMINISTRATIVE USE — [Recipient] — [DD/MM/YYYY]
  9. RECIPIENT: [Recipient] — FILE REF: [ID-XXXX]
  10. DO NOT REUSE OUT OF CONTEXT — [Recipient]
  11. COPY FOR REVIEW — NOT VALID FOR OTHER USE — [DD/MM/YYYY]
  12. VERIFICATION WITH CONSENT — [Recipient] — [DD/MM/YYYY]

3 recommended watermarks by situation (practical tip)

  • Rental: "COPY FOR IDENTITY VERIFICATION — [Agency] — [Date]" (centered, diagonal).
  • Bank: "ONE-TIME USE — VERIFICATION [Purpose] — [Bank] — [Date]" + optional non-sensitive file ID.
  • Telecom / support: "COPY SENT TO [Service] — DELETE AFTER REVIEW" + visible date.

This mini box makes the page more actionable: you pick a fast template instead of starting from scratch.

Redaction: what to hide (and how to avoid the "annotation != deletion" trap)

Redaction means making information unreadable without distorting the document. The key point: many tools visually black out content, but do not necessarily remove underlying data (copyable text, layers, metadata).

In other words: hiding and truly deleting are not always the same. If you cannot guarantee deletion, use a more robust workflow (rasterization / flattened PDF print) and always test.

Simple tests after redaction (never skip these)

These tests take less than 2 minutes and prevent a false sense of security:

  1. Search the PDF for a word that should be hidden (name, address, number, etc.).
  2. Copy/paste text around the blacked-out area into a notes app.
  3. Open the file on another device (not the original app) and test again.
  4. Check that there is no separate selectable annotation layer.

Fictional "before / after" example on an ID document

Important: 100% fictional example. Never reproduce a blog example with real personal data.

Before (raw fictional scan)

  • Last name: Camille Martin
  • First name: Camille
  • Date of birth: 12/03/1992
  • Document number: AA123456
  • Address: (depends on document)
  • Machine-readable zone (MRZ): visible
  • Photo: visible
  • Signature: visible

After (fictional "send" version, cautious approach)

  • Keep visible: name, photo (often required), essential dates, validity period.
  • Redact (if not required): part of the document number, highly reusable elements out of context, secondary data.
  • Add a central watermark: "COPY FOR IDENTITY VERIFICATION — Company X — 22/02/2026".
  • Add a second discrete watermark (optional): "DO NOT SHARE".

Why this helps: a contextual watermark hinders generic scan reuse, and redaction limits misuse if the file leaks.

Fictional "before / after" example on proof of address (bill)

Before (fictional)

  • Name, full address
  • Customer number / contract reference
  • Billing period
  • Details (usage, options)

After (fictional)

  • Keep visible: name, city/postcode and readable address if that is the requested proof, recent period, issuer.
  • Redact: customer/contract number, internal IDs, unnecessary QR codes, bank references if present.
  • Watermark: "PROOF OF ADDRESS — One-time use — [Recipient] — [DD/MM/YYYY]".

Step-by-step procedures (free): watermark + redact on Windows, macOS, iOS, Android

Goal: offer free and realistic methods while keeping the rule "annotation != deletion" + tests. If you do this often, a dedicated redaction solution can save time.

Windows (free)

Watermarking (simple method)

  1. Open your watermark tool (web or local).
  2. Import the copy (PDF or image).
  3. Add text (one of the 12 templates), place it in the center (diagonal), adjust opacity.
  4. Export the watermarked version.
  5. Rename the file (for example 2026-02-22_ID_PourCompanyX.pdf).

Redaction (robust free workflow)

Option A — Rasterize the sensitive page (often the most reliable without a dedicated redaction tool):

  1. Open the PDF.
  2. Take a screenshot of the page (Snipping Tool).
  3. Open the image and black out the fields to hide (Paint / Photos).
  4. Print to PDF (Microsoft Print to PDF) to recreate a flattened page.
  5. Merge pages if needed.
  6. Test (search / copy).

Option B — Annotation + PDF print (depending on reader):

  1. Open the document in a PDF reader that allows annotation.
  2. Add black rectangles on sensitive areas.
  3. Print to PDF to flatten.
  4. Test; if text remains recoverable, go back to option A.

macOS (free)

Watermarking: same approach as Windows (watermark tool + export + rename).

Redaction — Option A (screenshot + edit + PDF export, robust)

  1. Open the PDF.
  2. Capture the page/area (Cmd + Shift + 4).
  3. Add black rectangles in Preview.
  4. Export to PDF (or "Save as PDF").
  5. Test (search / copy).

Redaction — Option B (annotation in Preview + export)

Convenient for speed, but always verify that the information cannot be recovered. If in doubt, switch back to screenshot + flattened PDF.

iOS (iPhone / iPad) (free)

For watermarking, you can use a web tool (if you accept uploading to a service you trust) or annotate an image. For redaction, prefer a method you can test.

Option A — Turn it into a scanned document (rasterized)

  1. Notes → Scan Documents (creates a scanned PDF).
  2. Open the scan → Markup → black rectangles over fields.
  3. Export / share as PDF.
  4. Test (search / copy, and on another device if possible).
  5. Warning: if OCR is active, some information may become searchable again.

Option B — Photo + Markup (ID card photo)

  1. Photos → Edit → Markup.
  2. Hide sensitive fields.
  3. Save a copy (do not overwrite the original).
  4. Add a watermark with a dedicated tool if you want stronger anti-cropping rendering.

Android (free)

Watermarking: use a watermark tool (web) or add text on an image. Redaction: prefer a testable and repeatable workflow.

Option A — Scan with Google Drive (often free)

  1. Google Drive → Scan (PDF).
  2. Open the scanned PDF → annotate (depending on app) → black rectangles.
  3. Export to PDF.
  4. Test (search / copy).
  5. If OCR is active, run another test on a different device.

Option B — Screenshot + edit

  1. Take a screenshot of the displayed document.
  2. Edit (photo editor) → black rectangles.
  3. Share as PDF if needed.
  4. Test (search / copy) before sending.

Secure sending: limit distribution and separate the secret

Even a well-watermarked and redacted document can leak if delivery is poorly controlled. CNIL recommends simple precautions: encrypt when needed, use transfers that ensure confidentiality, and send secrets (password / key) through a separate channel.

6 good practices without over-engineering

  1. Use a restricted-access link (named invitation) rather than an attachment that is easy to forward.
  2. Enable expiration (or delete the link after verification).
  3. If you encrypt/protect the file: send the password via a separate channel (SMS/call).
  4. Do not send "scan + password" in the same email.
  5. Keep a proof version (watermarked) + sending trace (date, recipient).
  6. Explicitly ask for deletion after use, without being aggressive.

Sending email template (copy/paste)

Subject: Identity verification — [First Last Name] — [File reference]

Hello [Name / Service],

As requested, I am sending an identity document for verification related to [purpose].
To limit risks of out-of-context reuse, the copy is watermarked with the recipient and the date.

Link (restricted access): [URL]
Available until: [DD/MM/YYYY]
Reference: [ID-XXXX]

For security reasons, the password (if applicable) is shared through a separate channel.

Please confirm receipt and, once verification is completed, deletion of non-necessary copies.

Kind regards,
[First Last Name]
[Phone]

What to do in case of identity theft: immediate actions + procedures + templates

If you detect (or suspect) identity misuse, the priority is to act quickly, document the situation, then use the official procedures that fit the case.

Immediate actions (within 30 minutes)

  1. Stop distribution: revoke the link, remove access, change the password if needed.
  2. Keep evidence: emails, SMS, screenshots, URLs, sent versions, dates/times.
  3. Assess impact: where the data may have been used (bank, telecom, administrations...).
  4. Start procedures: police log/report if suspicious, complaint if an offense is confirmed (depending on the case).

Official procedures (France): Service-Public and CNIL

Service-Public explains that in case of suspected identity theft, you may file a police report entry; and when identity theft is confirmed, the victim may file a complaint and notify the organizations concerned.

CNIL also publishes practical guidance on reacting to identity theft and the measures to take depending on the type of processing or organization involved.

Message templates (ready to use)

Message to the recipient (request clarification + deletion)

Hello,
I detect / suspect a risk of uncontrolled circulation of my identity document.
Please confirm:
- the exact purpose of the collection,
- who has access to the document,
- how long it is retained,
- immediate deletion of any unnecessary copy,
- and the responsible contact point.
Without a clear response, I will remove access and start the necessary procedures.
Kind regards,
[First Last Name]

Message to the bank / financial institution (pre-alert)

Hello,
I suspect identity theft. Please:
- strengthen monitoring on my file and block any unauthorized account/credit opening,
- confirm recent operations and the dedicated contact channels,
- indicate the procedure to follow (documents to provide, possible objections / blocks).
Kind regards,
[Name + contact details]

Preparation message for a report (police / reporting)

Hello,
I would like to report suspected/observed identity theft.
Facts: [date/time], [channel], [organization], [documents sent], [available evidence].
Damage/risks: [account, credit, telecom, etc.].
I attach: copies of exchanges, listing/link identifiers, screenshots, and any useful document.

Kind regards,
[Name + contact details]

CNIL complaint / claim (depending on the situation)

If the problem involves an organization that processes your data abusively (unjustified retention, refusal to delete, improper use...), CNIL provides an online complaint service. Keep your evidence and build a clear timeline.

Legal notes, CNIL compliance and editorial transparency

  • No legal advice: this article provides security and minimization best practices, but it does not replace legal advice adapted to your situation.
  • Proportionality: always ask which information is necessary, and avoid sending more than what is needed for the stated purpose.
  • Retention: ask for the retention period and deletion after verification.
  • Proof: keep a minimal log (recipient, date, watermarked version) to document the sending context.
  • Fictional examples: all before/after data in this article is fictional and contains no real information.

Visual ideas (useful and actionable)

  • Infographic "3 protection levels": alternative / watermark / watermark + redaction + secure delivery.
  • Fictional screenshots of watermark settings (opacity, rotation, repetition).
  • Diagram "link + expiration + password via separate channel".
  • Visual comparison "annotation vs redaction" + test checklist.

Relevant CTAs

  • Generate a ready-to-use "Identity verification" watermark
  • Download the checklist (CSV)
  • Get the 12 watermark templates by email
  • Subscribe to monthly "sensitive documents" tips (5 minutes)

Mini FAQ: ID copy, watermarking and secure delivery

Frequent questions to avoid the most common mistakes before sending a copy of an identity document.

Should I send my ID as a photo or as a PDF?

Use the format requested. If you need to redact, make sure the hidden information is truly removed (search/copy tests).

What should I put in a watermark without adding risk?

Recipient + date + purpose. Avoid adding full numbers (document, customer) or other sensitive data.

Can I send the password in the same email?

A separate channel is better (link by email, password by SMS/call), as CNIL recommends, to reduce risk if the message is forwarded or compromised.

Is there an alternative to sending a photocopy?

Yes: a one-time identity proof via France Identite (if compatible). Acceptance still depends on the recipient.