In agreeing to settle a case brought by 38 states involving the project, the search company for the first time is required to aggressively police its own employees on privacy issues and to explicitly tell the public how to fend off privacy violations like this one.
While the settlement also included a tiny — for Google — fine of $7 million, privacy advocates and Google critics characterized the overall agreement as a breakthrough for a company they say has become a serial violator of privacy.
Complaints have led to multiple enforcement actions in recent years and a spate of worldwide investigations into the way the mapping project also collected the personal data of private computer users.
“Google puts innovation ahead of everything and resists asking permission,” said Scott Cleland, a consultant for Google’s competitors and a consumer watchdog whose blog maintains a close watch on Google’s privacy issues. “But the states are throwing down a marker that they are watching and there is a line the company shouldn’t cross.”
The agreement paves the way for a major privacy battle over Google Glass, the heavily promoted wearable computer in the form of glasses, Mr. Cleland said. “If you use Google Glass to record a couple whispering to each other in Starbucks, have you violated their privacy?” he asked. “Well, 38 states just said they have a problem with the unauthorized collection of people’s data.”
George Jepsen, the Connecticut attorney general who led the states’ investigation, said that he was hopeful the settlement would produce a new Google.
“This is the industry giant,” he said. “It is committing to change its corporate culture to encourage sensitivity to issues of personal data privacy.”
The applause was not universal, however. Consumer Watchdog, another privacy monitor and frequent Google critic, said that “asking Google to educate consumers about privacy is like asking the fox to teach the chickens how to ensure the security of their coop.”
Niki Fenwick, a Google spokeswoman, said on Tuesday that “we work hard to get privacy right at Google, but in this case we didn’t, which is why we quickly tightened up our systems to address the issue.”
Last summer, the Federal Trade Commission fined Google $22.5 million for bypassing privacy settings in the Safari browser, the largest civil penalty ever levied by the F.T.C. In 2011, Google agreed to be audited for 20 years by the F.T.C. after it admitted to using deceptive tactics when starting its Buzz social network. That agreement included several rather vague privacy provisions.
The new settlement, which requires Google to set up a privacy program within six months, is more specific. Among its requirements, Google must hold an annual privacy week event for employees. It also must make privacy certification programs available to select employees, provide refresher training for its lawyers overseeing new products and train its employees who deal with privacy matters.
Several provisions involve outreach. Google must create a video for YouTube explaining how people can easily encrypt their data on their wireless networks and run a daily online ad promoting it for two years. It must run educational ads in the biggest newspapers in the 38 participating states, which besides Connecticut also include New York, New Jersey, Massachusetts, California, Ohio and Texas.
“There are minimum benchmarks Google has to meet,” said Matthew Fitzsimmons, an assistant Connecticut attorney general who negotiated with the company. “This will impact how Google rolls out products and services in the future.”
Marc Rotenberg of the Electronic Privacy Information Center said the agreement was “a significant privacy decision by the state attorneys general,” adding that “it shows the ongoing importance of the states’ A.G.’s in protecting the privacy rights of Internet users.”
Google Concedes That Drive-by Prying Violated Privacy – New York Times