Google in breach of privacy law
Google's accidental collection of personal data as part of its Street View project has been branded a "serious violation" of privacy laws.
The Canadian privacy commissioner found that the incident was the result of "an engineer's careless error", which saw rogue code accidentally added to Street View software.
It has called on Google to tighten up its privacy rules by February or face further action.
Google has apologised for the error.
"We are profoundly sorry for having mistakenly collected payload data from unencrypted networks," Google said in a statement.
"As soon as we realised what had happened, we stopped collecting all wi-fi data from our Street View cars and immediately informed the authorities."
It follows the conclusion of an investigation by the Canadian privacy commissioner, Jennifer Stoddart.
"Our investigation shows that Google did capture personal information - and, in some cases, highly sensitive personal information such as complete e-mails, e-mail addresses, usernames and passwords," she said.
"This incident was a serious violation of Canadians' privacy rights," she concluded.
The investigation found that thousands of Canadians were affected by the incident and that some very sensitive data, including a list of names of people suffering from certain medical conditions, and telephone numbers and addresses, was collected.
Google said that it had "been working with the Office of the Privacy Commissioner in its investigation and will continue to answer the commissioners questions and concerns".
The rogue code, which collected thousands of e-mail addresses and other personal information from unsecured wireless networks, was developed in 2006 by a Google engineer taking advantage of the search giant's policy of allowing its engineers to use 20% of their time to work on projects of interest to them.
The Canadian investigation found that the engineer developed the code to sample all categories of publicly broadcast wi-fi.
The code was incorporated in the Google Street View cars when the firm decided to collect information about the location of public wi-fi spots in order to feed this information into its location-based services database.
When the decision to use the code was taken the engineer said it created "superficial privacy implications", but these were never assessed by other Google officials.
The Commissioner recommended that Google enhance its privacy training among all employees.
It also called on Google to ensure that it has the necessary procedures to protect privacy before products are launched.
It must also delete all the Canadian data it collected.
If Google complies with these demands, it will face no further action, Ms Stoddart said.
Google is under similar investigation in other countries including the US, Australia and Germany.
Privacy International has said the search giant may face prosecution over the incident.
The Canadian privacy commissioner has been particularly active over the issue of privacy and has recently concluded an investigation of Facebook.