Google added a new section to its spam policies designating “back button hijacking” as an explicit violation under the malicious practices category. Enforcement begins on June 15, giving websites two months to make changes.
Google published a blog post explaining the policy. It also updated the spam policies documentation to list back-button hijacking alongside malware and unwanted software as a malicious practice.
What Is Back Button Hijacking
Back button hijacking occurs when a site interferes with browser navigation and prevents users from returning to the previous page. Google’s blog post describes several ways this can happen.
Users might be sent to pages they never visited. They might see unsolicited recommendations or ads. Or they might be unable to navigate back at all.
Google wrote in the blog post:
“When a user clicks the ‘back’ button in the browser, they have a clear expectation: they want to return to the previous page. Back button hijacking breaks this fundamental expectation.”
Why Google Is Acting Now
Google said it’s seen an increase in this behavior across the web. The blog post noted that Google has previously warned against inserting deceptive pages into browser history, referencing a 2013 post on the topic, and said the behavior “has always been against” Google Search Essentials.
Google wrote:
“People report feeling manipulated and eventually less willing to visit unfamiliar sites.”
What Enforcement Looks Like
Sites involved in back button hijacking risk manual spam penalties or automated demotions, both of which can lower their visibility in Google Search results.
Google is giving a two-month grace period before enforcement starts on June 15. This follows a similar pattern to the March 2024 spam policy expansion, which also gave sites two months to comply with the new site reputation abuse policy.
Third-Party Code As A Source
Google’s blog post acknowledges that some back-button hijacking may not originate from the site owner’s code.
Google wrote:
“Some instances of back button hijacking may originate from the site’s included libraries or advertising platform.”
Google’s wording indicates sites can be affected even if issues come from third-party libraries or ad platforms, placing responsibility on websites to review what runs on their pages.
How This Fits Into Google’s Spam Policy Framework
The addition falls under Google’s category of malicious practices. That section discusses behaviors causing a gap between user expectations and experiences, including malware distribution and unwanted software installation. Google expanded the existing spam policy category instead of creating a new one.
The March 2026 spam update completed its rollout less than three weeks ago. That update enforced existing policies without adding new ones. Today’s announcement adds new policy language ahead of the June 15 enforcement date.
Why This Matters
Sites using advertising scripts, content recommendation widgets, or third-party engagement tools should audit those integrations before June 15. Any script that manipulates browser history or prevents normal back-button navigation is now a potential spam violation.
The two-month window is the compliance period. After June 15, Google can take manual or automated action.
Sites that receive a manual action can submit a reconsideration request through Search Console after fixing the issue.
Looking Ahead
Google hasn’t indicated whether enforcement will come through a dedicated spam update or through ongoing SpamBrain and manual review.
