Google today reversed a controversial policy change to its spam report system, announcing that any submission containing personally identifying information (PII) will not be processed at all - a significant departure from what the company had communicated only a couple of weeks ago.

The change, reported on April 24, 2026, by Barry Schwartz at Search Engine Roundtable, marks a rapid about-face. It follows sharp community criticism of a prior update in which Google had stated it would pass along all information entered in a spam report directly to the site owner when a manual action resulted from that report. That disclosure requirement triggered a wave of concern from SEO professionals, privacy advocates, and everyday webmasters alike, who pointed out the obvious risks of transmitting personally identifiable data to the very parties being reported.

What Google's spam report form now says

The updated form now carries a new notice that reads, according to the attached document:

"Don't include any personally identifying information in your submission. To comply with regulations, we must send the submission text to the site owner to help them understand the context of a manual action, if one is issued. Because of this, we won't process your submission if we determine it contains personally identifying information to protect privacy. Not including such information fully ensures your information is safe and prevents your submission from being discarded."

This language appears under the "Spammy, deceptive, or low quality webpages" section of Google's spam, phishing, or malware reporting form. The form instructs users that Google may use their report to take manual action against violations of its spam policies. The new PII notice sits as a prominent bullet point immediately before the "Report spam" button, giving it high visual weight within the interface.

Google noted it "further clarified" the policy specifically to "address feedback we received about the change on using spam reports to take manual action," according to Search Engine Roundtable.

Why the prior policy alarmed the community

The core tension in the original policy change was structural. Google's position was - and remains - that when a spam report leads to a manual action, the site owner must be informed of the context behind that action. This is described in Google's current documentation as a regulatory compliance requirement: "To comply with regulations, we must send the submission text to the site owner."

That logic, while legally coherent, created an immediate and concrete problem. If a person submitting a spam report included their name, email address, or any other identifying detail in the free-text field, that information would end up in the hands of the site owner they were reporting. Glenn Gabe, SEO and AI Search Consultant at G-Squared Interactive, flagged the specific risk publicly on X on April 24, 2026, noting that the original policy opened the door to misuse. According to Gabe, anyone could enter someone else's name in the spam report as the person filing it - effectively fabricating the identity of the reporter. That spoofing possibility meant the old system created legal exposure not just for genuine reporters, but potentially for third parties whose names could be entered without their knowledge.

"That could lead to all sorts of problems, including legal problems," Gabe wrote, according to the attached X post, adding that feedback about personal identifiable information appearing in reports "could go end very badly on several levels."

The post, published at 12:12 PM on April 24, 2026, gathered 14 likes, 8 reposts, and 3 replies, with 2,028 views - modest engagement that nonetheless reflected the speed with which the SEO community absorbed and reacted to the news.

The technical mechanics of manual actions

To understand why this matters, it is worth examining how manual actions work within Google's search infrastructure. A manual action is distinct from an algorithmic penalty. What Google actually looks for when it catches spam sites - covered by PPC Land in April 2026 - described how manual reviews involve a human reviewer at Google who assesses a site and applies a penalty that is then documented in Google Search Console. Manual actions reduce or remove a site's visibility in search results. They can be contested through a formal reconsideration request once the offending behavior has been corrected.

The spam reporting form is one input channel into this system. When someone submits a spam report, Google's spam-fighting team may use it as a signal during a manual review. If a manual action results, Google's current policy requires that the context of the report - including the text submitted - be shared with the site owner. That is the regulatory obligation the new notice describes, and it is the reason PII in such submissions carries genuine risk.

Manual search penalties to affect Google Ads in unprecedented policy change - a December 2024 policy shift tracked by PPC Land - added another dimension to this landscape. Since that change, sites receiving manual actions in organic search also face automatic consequences for advertising eligibility. A manual action no longer affects only a site's rankings; it can also trigger disapproval of its advertising campaigns. That integration makes the spam reporting pipeline - and the safeguards surrounding it - more consequential than ever for publishers and advertisers simultaneously.

What changed and what did not

The new policy does not alter the underlying requirement to share submission text with site owners. That compliance obligation remains in place. What changed is the handling of submissions that contain PII: rather than forwarding that information to the site owner, Google will now discard the submission entirely. The report will not be processed. No manual action will flow from it.

This creates a clear functional trade-off. A person submitting a spam report who inadvertently includes their name, contact details, or any other identifying data will have their report silently dropped. Google's notice addresses this directly, framing the instruction as protective: "Not including such information fully ensures your information is safe and prevents your submission from being discarded."

The phrase "we determine it contains personally identifying information" is notable for its ambiguity. The documentation does not specify whether this determination is made by an automated system, a human reviewer, or some combination. It also does not define what qualifies as personally identifying information for the purposes of this check. Standard definitions of PII under frameworks such as GDPR include names, email addresses, IP addresses, location data, and any information that can identify a natural person directly or indirectly. Whether Google applies a broad or narrow definition in this context is not stated.

The spam report form in context

Google's spam reporting form exists as part of a broader ecosystem of spam enforcement tools. Google's March 2026 spam update - released on March 24, 2026 at 12:18 PDT - illustrates the scale at which algorithmic enforcement operates. That update applied globally across all languages and completed within approximately 19.5 hours, making it the fastest spam update on record. The spam report form, by contrast, feeds the manual side of enforcement - a much smaller but more targeted channel.

The form covers several categories of violations. Under "Spammy, deceptive, or low quality webpages," it covers ranking manipulation techniques that attempt to compromise search result quality and violate Google's spam policies. Google notes that such reports may be used to take manual action against violations. Separate categories on the same form cover spam, phishing, and malware.

The PII restriction applies specifically to the free-text submission field, where reporters can describe the nature of the violation. Structured fields - such as the URL of the page being reported - are not mentioned in the notice, and the documentation does not explicitly address whether structured data fields are subject to the same PII check.

Context: how Google has handled spam enforcement in 2026

The spam report policy update sits within a period of notably active enforcement. Google sets June 15 deadline to stop hijacking users' back button - announced on April 13, 2026 - added back button hijacking as an explicit violation under the malicious practices category of Google's spam policies, with enforcement set to begin two months after the announcement. That policy drew attention in part because back button hijacking often originates from third-party JavaScript libraries, not from code written by the site owner directly.

The August 2025 spam update, which completed its rollout on September 22, 2025 after a 27-day deployment, was described by SISTRIX as having minimal visible impact on rankings despite its extended duration. Before that, the December 2024 spam update completed in exactly seven days after launching on December 19, 2024.

Against that backdrop of repeated algorithmic interventions, the spam report form remains a manual-review channel that handles specific, human-identified violations. Its operational rules have direct consequences for anyone trying to report manipulation they observe in search results.

Privacy compliance and regulatory framing

Google's repeated reference to regulatory compliance in its form language is not incidental. The phrase "to comply with regulations" likely refers to frameworks such as the General Data Protection Regulation in Europe and analogous privacy laws elsewhere, which establish specific requirements around transparency and the right to know the basis for adverse decisions. In an administrative or quasi-administrative context - which a manual action affecting a site's search visibility arguably resembles - the entity taking the action may be required to disclose the grounds for that action to the affected party.

That regulatory backdrop gives the spam report disclosure requirement a structural logic that is separate from Google's own preferences. It is not that Google chose to tell site owners who reported them; it is that legal frameworks in certain jurisdictions may require that affected parties receive notice of the context behind enforcement actions against them. The PII restriction now acts as the safety valve within that structure: if a submission contains identifying information that would expose the reporter, the submission is simply not accepted.

Google's anti-privacy push sparks backlash among advertisers - covered by PPC Land in April 2025 - showed how Google's handling of personal data in advertising contexts drew sharp criticism from marketing professionals. The spam report episode reflects a similar dynamic: a policy that appeared technically logical created immediate community pushback once its implications for individual privacy became apparent.

What this means for spam reporters

The practical guidance embedded in the updated form is direct. Submissions to the spam report should describe the violation in factual, impersonal terms - URL, behavior observed, policy implicated - without including the name, email, employer, or any other identifying detail of the person filing the report. Submissions that Google's systems identify as containing PII will be discarded without processing.

The site reputation abuse manual reviews that began in May 2024 illustrated how community-reported signals can feed into enforcement cycles. The integrity of that pipeline depends in part on the quality and completeness of submissions that reach the review team. A submission discarded for containing PII contributes nothing to that process.

For the broader SEO and search marketing community, the episode is a reminder of how quickly Google can iterate on policy when community feedback is both vocal and well-reasoned. The original change was communicated; it drew criticism; within weeks, Google made a further clarification that addressed the core concern. Whether that iterative responsiveness applies equally to more commercially significant policy changes remains a separate question.

Timeline

Summary

Who: Google, with SEO consultant Glenn Gabe (@glenngabe) among the first to publicly document and analyse the change. The update affects anyone who submits spam reports through Google's search quality reporting form, as well as site owners who may receive notification of manual actions.

What: Google reversed a controversial element of its spam report policy. Rather than forwarding all submission text - including potentially identifying information - to site owners when a manual action is issued, Google will now decline to process any submission that it determines contains personally identifying information. The change follows community criticism over privacy and identity-spoofing risks inherent in the original disclosure approach.

When: The further clarification was announced on April 24, 2026. The original policy change that prompted the backlash had been communicated a couple of weeks prior.

Where: The change applies to Google's spam, phishing, and malware reporting form, specifically the section covering spammy, deceptive, or low quality webpages. It affects users globally who submit spam reports to Google Search.

Why: Google cited regulatory compliance as the basis for the underlying disclosure requirement - the obligation to share submission context with site owners when a manual action is issued. The PII restriction was added because community feedback identified that transmitting identifying information to reported parties created privacy risks and potential for identity spoofing. By discarding PII-containing submissions rather than forwarding them, Google protects reporters while maintaining its compliance framework for non-identifying reports.

Share this article
The link has been copied!