Cars like this one helped Google collect imagery for Street View. But the cars also collected data from private networks.
SAN FRANCISCO — Google on Tuesday acknowledged to state officials that it had violated people’s privacy during its Street View mapping project when it casually scooped up passwords, e-mail and other personal information from unsuspecting computer users.
In agreeing to settle a case brought by 38 states involving the project, the search company for the first time is required to aggressively police its own employees on privacy issues and to explicitly tell the public how to fend off privacy violations like this one.
While the settlement also included a tiny — for Google — fine of $7 million, privacy advocates and Google critics characterized the overall agreement as a breakthrough for a company they say has become a serial violator of privacy.
Complaints have led to multiple enforcement actions in recent years and a spate of worldwide investigations into the way the mapping project also collected the personal data of private computer users.
“Google puts innovation ahead of everything and resists asking permission,” said Scott Cleland, a consultant for Google’s competitors and a consumer watchdog whose blog maintains a close watch on Google’s privacy issues. “But the states are throwing down a marker that they are watching and there is a line the company shouldn’t cross.”
The agreement paves the way for a major privacy battle over Google Glass, the heavily promoted wearable computer in the form of glasses, Mr. Cleland said. “If you use Google Glass to record a couple whispering to each other in Starbucks, have you violated their privacy?” he asked. “Well, 38 states just said they have a problem with the unauthorized collection of people’s data.”
George Jepsen, the Connecticut attorney general who led the states’ investigation, said that he was hopeful the settlement would produce a new Google.
“This is the industry giant,” he said. “It is committing to change its corporate culture to encourage sensitivity to issues of personal data privacy.”
The applause was not universal, however. Consumer Watchdog, another privacy monitor and frequent Google critic, said that “asking Google to educate consumers about privacy is like asking the fox to teach the chickens how to ensure the security of their coop.”
Niki Fenwick, a Google spokeswoman, said on Tuesday that “we work hard to get privacy right at Google, but in this case we didn’t, which is why we quickly tightened up our systems to address the issue.”
Last summer, the Federal Trade Commission fined Google $22.5 million for bypassing privacy settings in the Safari browser, the largest civil penalty ever levied by the F.T.C. In 2011, Google agreed to be audited for 20 years by the F.T.C. after it admitted to using deceptive tactics when starting its Buzz social network. That agreement included several rather vague privacy provisions.
The new settlement, which requires Google to set up a privacy program within six months, is more specific. Among its requirements, Google must hold an annual privacy week event for employees. It also must make privacy certification programs available to select employees, provide refresher training for its lawyers overseeing new products and train its employees who deal with privacy matters.
Several provisions involve outreach. Google must create a video for YouTube explaining how people can easily encrypt their data on their wireless networks and run a daily online ad promoting it for two years. It must run educational ads in the biggest newspapers in the 38 participating states, which besides Connecticut also include New York, New Jersey, Massachusetts, California, Ohio and Texas.
“There are minimum benchmarks Google has to meet,” said Matthew Fitzsimmons, an assistant Connecticut attorney general who negotiated with the company. “This will impact how Google rolls out products and services in the future.”
Marc Rotenberg of the Electronic Privacy Information Center said the agreement was “a significant privacy decision by the state attorneys general,” adding that “it shows the ongoing importance of the states’ A.G.’s in protecting the privacy rights of Internet users.”
The Street View case arose out of Google’s deployment of special vehicles to photograph the houses and offices lining the world’s avenues and boulevards and lanes. For several years, the company also secretly collected personal information — e-mail, medical and financial records, passwords — as it cruised by. It was data-scooping from millions of unencrypted wireless networks.
A worldwide uproar and investigations in at least a dozen countries ensued. An Australian regulator, Stephen Conroy, called it “probably the single greatest breach in the history of privacy.” Google initially denied any data had been collected from unknowing individuals, then sought to play down what data had been collected and fought with regulators who wanted to examine it. Google said the data had been destroyed, although it turned out some had not been. Some data was purged, but Google is holding the rest until several private lawsuits are resolved.
The company blamed a rogue engineer for the operation. But the Federal Communications Commission said the engineer had worked with others and had tried to tell his superiors what he was doing. He was less a rogue than simply unsupervised, the agency said. The F.C.C. last spring fined Google $25,000 for obstructing its investigation.
In the last several years, Google has repeatedly said it was strengthening its privacy monitoring, adding layers of oversight and controls. For the states, however, those assurances were not quite enough.
“We obviously thought there was more they could do,” said Mr. Fitzsimmons, the assistant Connecticut attorney general. An executive committee of attorneys general will monitor Google for compliance. The $7 million fine is pocket change for Google, which has a net income of about $32 million a day.
“It is the public opprobrium, not the money, that counts in these cases,” said David Vladeck, a professor of law at Georgetown University who formerly directed the F.T.C.’s Bureau of Consumer Protection. “And I think people were rightly unhappy with Google’s collecting the information in the first place and then Google’s lame explanation.”
Regulators in Germany pursued Google aggressively in the case, but closed their investigation in November without bringing charges. That seemed to end the matter until this week. Few outside observers expected the states’ efforts to amount to much.
The inquiry began in June 2010. Richard Blumenthal, then Connecticut’s attorney general, said his office would lead a multistate investigation into what he called “Google’s deeply disturbing invasion of personal privacy.” In December 2010, Mr. Blumenthal — about to become Connecticut’s junior senator — issued a civil investigative demand, equivalent to a subpoena, to get the data. Google never provided it. “That issue was resolved by their admission they had gathered the kinds of data we had alleged they were gathering,” said Mr. Jepsen, the attorney general.
In any case, he said, “what mattered was Google admitted they weren’t just taking pictures.”