Google Spam Policies Explained: The Complete Guide (2026)
-
Author
Saurabh Garg -
Publish
July 11, 2026 5:41 am -
Read Time
15 Min
Most B2B, ITES, and SaaS sites that get demoted under Google’s spam policy were never trying to spam. They ran a growth tactic that a playbook sold them as smart: a programmatic page build, an AI content pipeline, A guest-post retainer, or A subfolder rented to a partner. Each one looked like a shortcut to visibility. To Google’s systems, each one reads as a named policy violation.
Google’s spam policies are usually explained as a list of things bad actors do. Read that way, they feel irrelevant to a legitimate company. Read correctly, they are a map of the exact growth moves that quietly reclassify a real business site from “ranking” to “demoted” without anyone at the company noticing.
Key Takeaways
- Google publishes sixteen named spam policies plus four “other practices” that usually cause demotion. Most B2B sites that get caught run a legitimate-looking growth tactic that happens to map onto one of them.
- Enforcement runs two ways. A manual action is a human reviewer’s decision, shows up in Search Console, and can be reversed with a reconsideration request. An algorithmic demotion arrives through a core or spam update, comes with no notice, and is handled by SpamBrain, Google’s AI spam-prevention system.
- The three policies most likely to catch a B2B or SaaS site right now are scaled content abuse, site reputation abuse, and link spam. All three describe tactics that most SEO experts still sell as growth.
- Manual actions can be undone, but link spam demotions largely cannot. Google’s own documentation states that once the ranking benefit of spammy links is removed, it does not come back.
- To check whether you are affected, read the Manual Actions and Security Issues reports in Search Console first, then match your traffic-drop date against Google’s confirmed update timeline.
To Google, spam is any technique used to deceive users or manipulate its systems into featuring content prominently. That definition now explicitly includes attempts to manipulate the answers in AI-generated results, not just the ranked list of blue links. The spam policies documentation Google publishes for site owners lists sixteen named policies and a further four practices that trigger demotion.
Google publishes these policies for one practical reason: enforcement is mostly automated, and automated enforcement needs a written standard. Its AI spam-prevention system, SpamBrain, decides at scale which sites are manipulating rankings. The policies are the human-readable version of what that system is trained to catch. When a company reads them and thinks, “none of this applies to us,” the usual reason is that it views spam as intent. Google’s systems do not assess intent; rather, they assess the pattern.
This is the shift that catches legitimate businesses. A doorway page built by a spammer and a “[service] in [city]” page built by a real agency produce the same pattern in the index. The policy does not distinguish between the two. That is why a company with a clean reputation and a good product can still wake up to a demotion it did not see coming.
In our audit work with B2B and SaaS sites, the most common reaction to a spam-policy hit is disbelief. Then comes the discovery that a tactic someone approved eighteen months ago is the cause. The policies are not written for people who set out to cheat. They are written for the pattern, and the pattern does not care who created it.
Google enforces its spam policies through two separate mechanisms, and telling them apart is the first diagnostic step in any recovery. A manual action is a decision made by a human reviewer at Google. An algorithmic demotion is applied automatically by Google’s ranking systems. The two feel identical from the traffic graph and are completely different to fix.
A manual action is one you can see. It appears in the Manual Actions report inside Google Search Console, names the policy you have violated, and states whether it affects specific pages or the whole site. Once you have fixed the underlying issue, you submit a reconsideration request through the same report, and a human reviews it. Manual actions are reversible by design. Google tells you what is wrong and gives you a route back.
An algorithmic demotion is one you cannot see directly. It arrives through a broad core update or a dedicated spam update, and Google sends no notification. You infer it from a traffic drop that lines up with a confirmed update date.
Google has shown exactly how quiet the algorithmic side can be. On 14 December 2022, it announced the December 2022 link spam update, the first time SpamBrain was used to neutralize spammy links directly rather than through a human penalty. Affected sites got no notice in Search Console. The update simply switched off the ranking credit those links had been passing, then took 29 days to finish rolling out. A site living on bought links was never told. Its rankings just stopped being propped up.
Spam updates are refreshes of SpamBrain’s detection, and their pace is increasing. The March 2026 spam update finished rolling out in under twenty hours, the fastest confirmed spam update on record, and Google shipped another in June 2026.
The distinction matters because it dictates your entire recovery path. A manual action wants a fix plus a reconsideration request. An algorithmic demotion wants a fix plus patience, because Google’s systems only re-evaluate compliance over a period of months. Skip the diagnosis and you can spend weeks writing a reconsideration request for a demotion that no human ever issued.

Here is every named spam policy Google currently enforces. The March 2024 spam update added three of them as brand-new categories: scaled content abuse, expired domain abuse, and site reputation abuse. Those three are where most present-day website risk sits, because all three describe tactics that are still sold as legitimate growth. Each entry below names the policy, the version a real company actually runs, and the deep-dive link where the tactic is common enough to warrant one.
Showing Google one version of a page and users another, with the intent to manipulate rankings. The accidental B2B version is a heavily scripted marketing site where the pre-rendered HTML served to Googlebot no longer matches what a human sees after the JavaScript loads. If your rendered and crawled content have drifted apart, you can trip this without ever deciding to.
In February 2006, Google removed BMW’s German site, bmw.de, from its index after Matt Cutts found it was feeding Googlebot keyword-stuffed doorway pages while sending human visitors somewhere else. One doorway page repeated the German word for “used car” dozens of times; the page real visitors saw used it twice. BMW insisted it had no intent to deceive and said the pages only existed because parts of its site were built using JavaScript in a way search engines could not read. BBC covered the BMW topic in its article on 6 February 2006.
Creating near-duplicate pages built to rank for slight query variations, all funneling users to the same destination. This is the programmatic “[service] in [city]” build, where fifty location pages carry the same body copy and one contact form.
Buying a domain for its existing ranking history and repurposing it with content that adds little value for users. The B2B version is acquiring a defunct competitor’s or old agency’s domain for its backlink profile and pointing it at your product. Google now treats this as a standalone policy.
Spammy or malicious content added to your site through a security hole, often without the owner’s knowledge. For most companies, this is an unpatched CMS plugin that lets pharma or gambling pages get injected under your domain. You find them by searching your own site and spotting pages you never made. Hacked content typically surfaces in Search Console’s Security Issues report before it surfaces anywhere else.
Placing text or links on a page solely for search engines, in a way users cannot easily see. The common legacy version is a block of white-on-white keywords or CSS-hidden footer links left behind by a previous SEO vendor. Normal design patterns like accordions and tabs do not count.
Filling a page with keywords or numbers to manipulate rankings, often in unnatural lists or out of context. The B2B version is a capabilities page that repeats “enterprise ITSM platform” until it reads like a chant, or a footer stuffed with city and service names.
Creating links to or from a site mainly to manipulate rankings. This is the widest net for B2B companies. It covers the paid guest-post retainer, the directory-submission package, and the “we will review your product for a fee” outreach that passes do-follow links. Buying links is only a violation when the link is not qualified with a nofollow or sponsored attribute. Link spam also carries the harshest recovery profile of any policy.
J.C. Penney is the case every SEO still cites, because it happened to a household-name retailer that swore it knew nothing about it. In February 2011, a New York Times investigation titled “The Dirty Little Secrets of Search” found thousands of paid links pointing to jcpenney.com from unrelated sites. Through the 2010 holiday season, the retailer had ranked number one for “dresses,” “bedding,” and even “Samsonite carry-on luggage,” outranking Samsonite’s own site. Once Google applied a manual action, the Samsonite term fell from position 1 to 71. Across 59 tracked terms, J.C. Penney’s average position collapsed from 1.3 to 52 in nine days. Penney said the links were unauthorized and fired its search firm, SearchDex. The penalty landed regardless.
Sending automated queries to Google, such as scraping search results for rank tracking, without permission. This rarely causes a site demotion on its own, but it violates both the spam policies and Google’s Terms of Service. If your team runs an in-house scraper against Google, it belongs on your risk list.
Creating a mismatch between what a user expects and what they get, or compromising their security. This bucket covers malware, unwanted software, and, as of enforcement on 15 June 2026, back button hijacking. Google named it a malicious practice in April 2026 and set full enforcement, both manual and algorithmic, to begin on 15 June 2026, holding site owners responsible for third-party scripts and ad platforms they embed. If a vendor tag on your resource hub traps the back button, the policy now treats that as your problem.
The B2B trap here is usually a third-party ad unit or library on a resources hub that hijacks the back button. A gated download that a scanner flags as unwanted software is the other common cause. The behaviour can originate from code you did not write, which is exactly why it goes unnoticed.
Building sites that promise functionality they do not deliver, typically to push users toward ads. Less common in B2B, but relevant to any free-tool page (“free PDF merge”, “free countdown timer”, etc.) that leads to deceptive ads instead of the tool.
Producing many pages primarily to rank rather than to help users, regardless of how the pages are made. Google’s wording explicitly names generative AI here, and the phrase “no matter how it’s created” closes the loophole most content teams were relying on. This is the AI pipeline publishing hundreds of thin posts a month, or the programmatic comparison pages built from a template. Volume is not the violation; value is.
Republishing content taken from other sites with no original value added, even with attribution. The B2B version is an “industry news” hub that reposts others’ articles, or a syndication setup with no original layer on top. Google draws the line at whether you provide a unique benefit to the user.
Publishing third-party content on a strong host site mainly to borrow that host’s ranking signals. Often called parasite SEO. The obvious version is renting a subfolder to a “best tools” affiliate operator. The version that catches legitimate companies is subtler. An established site branches into a new vertical using freelance content, purely because that content ranks better on the strong domain than it would alone. Google added an important carve-out for genuine editorial, wire services, and user-generated forums.
Redirecting a visitor to different content than they requested, in order to deceive users or search engines. The risky version is a redirect chain from an acquired domain that shows Google one page and sends users to a different offer. Legitimate redirects for site moves and page consolidation are fine.
Publishing affiliate pages that copy the merchant’s product descriptions with no original content or added value. A comparison section that reproduces vendor copy verbatim across dozens of near-identical pages is the classic pattern. Good affiliate content that adds testing, pricing analysis, or real comparison is not affected.
Spammy content added to your site through channels meant for users, such as forums, comments, or profile pages. Site owners are usually unaware. A community forum or an open profile system that gets flooded with spam links is the common cause. Google’s guidance on preventing abuse of public areas is the fix.
Four practices sit outside the named spam policies but still cause demotion or removal. They have no deep-dive spokes, so they are covered in full here. None of them are things a normal B2B company sets out to do, but two of them can happen to you rather than because of you.
Legal removals: When Google receives a significant volume of valid copyright removal requests about a site, it can demote other content from that site. It applies similar demotion signals to defamation, counterfeit goods, and court-ordered removals. This demotion mechanism dates back to a Google algorithm update in 2012 and has been part of the system ever since. Child sexual abuse material is always removed, and sites with a significant proportion of it are demoted entirely.
That 2012 change has a name in the industry: “the DMCA update”, widely called the Pirate Update. Google began demoting sites that piled up valid copyright removal notices, and the wreckage was concentrated where you would expect: file-sharing and torrent-style domains that had been ranking for movie, music, and software titles lost that visibility. Google refreshed the same signal in 2014. It is the one demotion on this list that a site earns purely through the volume of complaints against it.
Personal information removals: If Google processes a high volume of personal-information removals involving a site with exploitative removal practices, it demotes other content from that site. It also checks whether the same pattern appears on related sites and demotes those too. The same applies to doxxing content and non-consensual explicit imagery, real or fake. For a normal business, this is not a risk. For anyone running user profiles or a marketplace, the exploitative-removal pattern is worth understanding.
Policy circumvention: If a site keeps trying to bypass Google’s spam or content policies, Google broadens its response. That can mean losing eligibility for features like Top Stories and Discover, and removing larger sections of the site from results. Circumvention includes spinning up new subdomains, subdirectories, or entire sites to keep doing the thing that got you demoted. The lesson for anyone recovering from a penalty: a workaround escalates the enforcement rather than escaping it.
Scam and fraud: Impersonating a real business, displaying false information about a service, or attracting users under false pretenses. Imposter sites and fake customer-support pages are the primary targets. Google identifies these with automated systems and keeps them out of results. For a legitimate company, the practical exposure is impersonation by someone else using your brand, which is a security and trademark issue as much as an SEO one.
Start with the two reports in Google Search Console that tell you directly, before you infer anything from a traffic graph. Open the Manual Actions report first. If a human reviewer at Google has penalized your site, the policy is named there in plain language, along with whether it affects specific pages or the whole domain. An empty Manual Actions report means no human penalty exists, which already rules out half the possibilities.
Next, open the Security Issues report. This is where hacked content, malware, and social-engineering flags appear. A site can be demoted for content it did not create, and this report is where injected pages and compromised sections show up first. If both reports are clean, you are not dealing with a manual action, and your problem is algorithmic.
For an algorithmic demotion, the diagnosis is a date-matching exercise. Pull your organic traffic in Search Console, find the exact day the decline began, and compare it against Google’s confirmed list of core and spam updates. Google publishes this timeline, and its own guide to debugging Search traffic drops walks through the process. A drop that starts on a confirmed spam-update date points you toward the spam policies. A drop on a core-update date points somewhere else entirely, because a core update can demote a site that broke no rules at all.
The trap we see most often in audits is a company that assumes a manual action because the drop was sharp, writes a reconsideration request, and waits. No human ever penalized them. The drop was a spam-update refresh, and the reconsideration request went to a queue that will never help, while the actual fix went undone. Read the reports before you write anything.
Recovery follows the same four steps regardless of which policy is involved, and the mechanism dictates your timeline more than the policy does. First, confirm the mechanism using the Search Console reports above. Second, identify and remove the specific violation, not a generic “improve quality” gesture. Third, either submit a reconsideration request (for a manual action) or wait for re-evaluation (for an algorithmic demotion). Fourth, hold the fix in place long enough for Google’s systems to relearn compliance.
That fourth step is where most recovery timelines break. Google’s spam updates documentation states that making changes may help a site improve only as its automated systems learn, over a period of months, that the site now complies. There is no instant reset for an algorithmic demotion. If you fixed the issue and traffic did not return in a week, that is expected, not evidence that the fix failed.
One policy breaks this framework, and it is worth knowing before you invest in recovery. Link spam recovery is not symmetric with the other policies. Google’s documentation is explicit: when its systems remove the effect of spammy links, any ranking benefit those links previously generated is lost and cannot be regained. You can stop the penalty from continuing, but you do not get the old rankings back because those rankings were built on links that no longer count. This is why the paid-link retainer is the most expensive mistake on the list. The money bought a ranking that evaporates and does not return.
The honest framing for a leadership team is this. A content or technical violation is usually recoverable with genuine fixes and patience. A link violation is a sunk cost you stop paying into. Knowing which one you have before you brief a recovery project saves you from selling your board a timeline that the mechanism will not honour.
What is the difference between a Google core update and a Google spam update?
A core update re-evaluates how Google assesses quality and relevance across all sites. It can demote a site that broke no rules, simply because the systems now weigh a different signal or because competitors improved. A spam update refreshes SpamBrain’s ability to detect violations of the documented spam policies. A site hit by a spam update broke a specific written rule. A site hit by a core update may not have.
How many Google spam policies are there in 2026?
Google’s spam policies page lists sixteen named policies: cloaking, doorway abuse, expired domain abuse, hacked content, hidden text and link abuse, keyword stuffing, link spam, machine-generated traffic, malicious practices, misleading functionality, scaled content abuse, scraping, site reputation abuse, sneaky redirects, thin affiliation, and user-generated spam. It also lists four “other practices” that cause demotion: legal removals, personal-information removals, policy circumvention, and scam and fraud.
Does using AI to write content violate Google’s spam policies?
Using AI to write content is not itself a violation. Scaled content abuse targets pages produced primarily to rank rather than to help users. Google’s wording is “no matter how it’s created”. A single, genuinely useful AI-assisted post is fine. A pipeline generating hundreds of thin pages a month to chase rankings is the pattern the policy exists to catch. The test is value and originality, not the tool.
How do I know if my traffic drop was a spam policy or something else?
Check the Manual Actions and Security Issues reports in Search Console first. If both are clean, match the exact start date of your decline against Google’s published list of core and spam updates. A drop aligned to a spam-update date points toward the spam policies. A drop aligned to a core-update date points toward a quality re-evaluation rather than a rule violation. A drop that matches no update at all is more likely technical, such as an indexing or migration issue.
Can you recover from a Google spam penalty?
Yes, for most policies, with one major exception. Content and technical violations are recoverable. Fix the issue, then submit a reconsideration request for a manual action or wait out the re-evaluation for an algorithmic demotion. Hold the fix in place for the months Google’s systems need to relearn compliance. Link spam is the exception here. Google states that the ranking benefit from spammy links, once neutralized, cannot be regained, so recovery stops the penalty but does not restore the lost rankings.

Saurabh Garg, the visionary Chief Technology Officer at Whitebunnie, is the driving force behind our cutting-edge innovations. With his profound expertise and relentless pursuit of excellence, he propels our company into the future, setting new standards in the digital realm.
Copyright © 2026 White Bunnie -All Rights Reserved