Google's error only came to light after the German data protection authority audited the Wi-Fi data collected by Street View cars, which capture real-time photographs of cities across the world for use in Google Maps, the search engine's mapping service.
The authority revealed that as well as collecting SSID information (the network's name) and MAC addresses (the number given to Wi-Fi devices such as a router), Google had also been collecting payload data such as emails or web page content being viewed.
"Google must come completely clean, fully explaining how this invasion of personal privacy happened and why," said Connecticut Attorney General Richard Blumenthal, who is head of a coalition of 38 US states, which are investigating the privacy blunder.
The coalition also wants Google to reveal whether it trialled the code before it was used in the Street View cars.
"We are asking Google to identify specific individuals responsible for the snooping code and how Google was unaware that this allowed the Street View cars to collect data broadcast over wi-fi networks," added Blumenthal.
"We will take all appropriate steps, including potential legal action if warranted, to obtain complete, comprehensive answers."
The search engine apologised again for its "mistake" and claimed it had not broken any laws.
"As we've said before, it was a mistake for us to include code in our software that collected payload data, but we believe we did nothing illegal," Google said in a statement.
As soon as the issue was made public, Google pulled its Street View cars. However, earlier this month, the search engine revealed it was reinstating the vehicles, without the code to capture wi-fi data, in Ireland, Norway, South Africa and Sweden.
The company said it would reintroduce the cars into other locations in the near future.