A US judge has ruled that Google did break the law when it scooped up unsecured wi-fi data while collecting images for Streetview.
It means a group of users can now press ahead with their claim for damages against the search giant.
Google had hoped to have the case dismissed, arguing that its "mistaken collection" of the data did not break wire-tapping laws.
Privacy experts called it a "landmark decision for internet privacy".
The lawyer representing the plaintiffs said that the case would now be resumed.
A Google spokesman said: "We are disappointed in the Ninth Circuit's decision and are considering our next steps."
It had hoped to put the issue behind it, arguing that it had no case to answer because such data was readily accessible to members of the public and therefore not subject to wire-tapping laws.
The US Court of Appeals in San Francisco disagreed.
Circuit judge Jay Bybee said: "Even if it is commonplace for members of the general public to connect to a neighbour's unencrypted wi-fi network, members of the public do not typically mistakenly intercept, store, and decode data transmitted by other devices on the network."
"The court made clear that federal privacy law applies to residential wi-fi networks," said Marc Rotenburg, executive director of the Electronic Privacy Information Center.
"Users should be protected when a company tries to capture data that travels between their laptop and their printer in their home."
Between 2008 and 2010, Google collected data from unsecured wi-fi networks in 30 countries.
The data included emails, user names, passwords, images and documents.
Google has always claimed that the collection was inadvertent, following the mistaken inclusion of code, written by an unnamed Google engineer, in its Streetview software.
It later emerged that a senior manager was aware that data was being collected by Streetview cars.
Google has apologised and agree to destroy the data.
In the US it has paid $7m (£4.4m) in US fines to settle a case involving 38 states.
As well as agreeing to delete all the harvested data, Google was also required to launch an employee training programme about privacy and data use which it must continue for at least 10 years.
It must also run a public service advertising campaign to educate consumers about how to secure their information on wireless networks.
The German privacy regulator, which exposed the issue in the first place, imposed fine of 145,000 euros ($192,500, £121,000) on the firm in April.
It described the debacle as "one of the biggest known data protection violations in history".
By contrast, the UK privacy watchdog imposed no fine, but did order Google to destroy all the stored data.