By agreeing to a toothless invasion-of-privacy settlement with Google, federal and state authorities blew a chance to take a bolder stand against the Internet behemoth’s prying into people’s lives.

Between 2008 and 2010, Google employees carrying out its Street View mapping project drove by countless homes across America and harvested people’s personal data, including passwords, medical records, financial accounts and emails. Google initially denied it had obtained private information. Then it said it didn’t get that much information. Then it said whatever information it got was by accident. Then it said a rogue engineer was responsible. Then it said the data had been erased from its systems.

Not one of the denials turned out to be true, according to investigations by the Federal Communications Commission, more than three dozen state attorneys general, and law enforcement authorities in several other countries.

After hearing Google spout such a pack of fairy tales, no one should need a complex algorithm to figure out that the Web information giant should have zero credibility when it claims it respects people’s privacy. Yet, after settling with 38 states and the District of Columbia, Google’s punishment is a mere $7 million fine and a promise to reform and police itself. If Google tried to deny taking information it clearly took, how can it be trusted not to let that happen again?

The FCC determined that the rogue engineer whom Google blamed for scooping up people’s personal data was actually working with others and had reported what happened to his supervisors. But the commission concluded that the engineer had been poorly supervised and fined Google only $25,000 for obstructing an FCC investigation.