Facebook is facing a record £500,000 fine for twice breaching the Data Protection Act.
The UK's data protection watchdog said the social media giant has failed to ensure Cambridge Analytica had deleted users' data.
The Information Commissioner’s Office (ICO) continued that Facebook broke the law by failing to safeguard people’s information and failing to be transparent about how people’s data was harvested by others.
The ICO also announced it proposes to bring criminal action against SCL Elections, the parent company of Cambridge Analytica (CA), for allegedly failing to comply with an enforcement notice and allow access to the data it held.
Despite the proposed fine being a record for the watchdog, campaigners said it was “unacceptable”, as under new data laws the penalty could have totalled more than £450 million.
The fines are based on laws governing the 2013-2014 period when the breaches occurred.
Facebook, with CA, has been the focus of the ICO’s investigation since February when evidence emerged that an app had been used to harvest the data of 50 million Facebook users around the world.
The total is now estimated at 87 million, the ICO said.
In March 2017, the ICO began looking into whether personal data had been misused by campaigns on both sides of the UK’s 2016 EU referendum.
It later launched an investigation that included political parties, data analytics companies and major social media platforms.
Wednesday's report gives details of some of the organisations and individuals under investigation, as well as enforcement actions so far.
Erin Egan, chief privacy officer at Facebook, said: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015.
“We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”
SCL Elections was liquidated in the wake of the scandal.
Other regulatory action set out in the report includes warning letters to 11 political parties and notices compelling them to agree to audits of their data protection practices.
Information Commissioner Elizabeth Denham said: “New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters.
“But this cannot be at the expense of transparency, fairness and compliance with the law...
“People cannot have control over their own data if they don’t know or understand how it is being used.
“That’s why greater and genuine transparency about the use of data analytics is vital.”
The interim progress report has been produced to inform the work of the Department for Culture Media and Sport’s (DCMS) select committee into fake news.
The next phase of the ICO’s work is expected to be concluded by the end of October.
Damian Collins, chair of the DCMS committee said: “Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way.
“This cannot by left to a secret internal investigation at Facebook.
“If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed.”