Google's agreed to have its privacy practices monitored for the next 20 years, as part of a settlement with the Federal Trade Commission (FTC).
It's also been barred from misrepresenting its privacy policies, and been ordered to implement a comprehensive privacy program.
"When companies make privacy pledges, they need to honor them," says FTC chairman Jon Leibowitz.
"This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."
The investigation was promoted by a complaint from members of the House Energy and Commerce Committee that Google's Buzz social networking service was making user data public.
Although Google led Gmail users to believe that they could choose whether or not they wanted to join Buzz, many who decided not to got signed up anyway. And those who did agree to join weren't adequately informed that the list of people they emailed most frequently would be made public by default.
Adding insult to injury, the 'Turn Off Buzz' option, er, didn't.
Google now needs to obtain user consent before sharing any information with third parties, and will undergo two-yearly, independent privacy audits for the next 20 years. With Buzz set for the chop, the rules will apply to its new social netwroking service, Google+, as well as other services.
It's the first time that the FTC has specifically ordered a comprehensive security program. It's also the first time a company's been found to have violated the US-EU Safe Harbor Framework, which sets out strict rules for companies transferring personal data from the EU to the US.
The decision was approved by a 4-0 vote.