Pro-Brexit campaign group Leave.EU and an insurance company owned by its founder Arron Banks face total fines of £135,000 over breaches of data laws.
It follows an Information Commissioner investigation into the misuse of personal data by political campaigns.
The report says more than a million emails sent to Leave.EU subscribers contained marketing for the Eldon Insurance firm’s GoSkippy services.
Mr Banks defended himself on Twitter after the report’s release.
The Information Commissioner’s Office (ICO), he said, had found “we may have accidentally sent a newsletter to customers” but “no evidence of a grand data conspiracy”.
He added: “Gosh we communicated with our supporters and offered them a 10% Brexit discount after the vote! So what?”
The UK voted by 51.9% to 48.1% to leave the EU in a referendum in June 2016.
Since then there have been several investigations looking at how the different campaigns were run, including into how they were funded and how they used personal data.
For its report, the Information Commissioner has been looking at how political campaigns use personal data to “micro target” voters.
The ICO said this had been the “most complex data protection investigation” it had ever carried out, with “an abundance of claims and allegations played out in public”.
It said it had uncovered a “disturbing disregard for voters’ personal privacy”.
The investigation was initially prompted by reports in The Observer about the activities of data firm Cambridge Analytica, which was accused of improperly harvesting millions of Facebook accounts.
The ICO said it had identified “serious breaches of data protection principles” and would have issued a “substantial fine” if the company had not already been in administration.
The report says that Leave.EU and Cambridge Analytica did not pursue a working relationship once Leave.EU failed to obtain designation as the official leave campaign for the 2016 referendum.
It said Leave.EU had explored creating a new organisation with a “view to collecting and analysing large quantities of data for political purposes”, but there was no evidence this had ever functioned.
Fines for Banks
Elsewhere in the report, it highlights what it says is the close relationship between Leave.EU and Eldon Insurance.
Both organisations face fines of £60,000 for emails which breached data laws.
The ICO said over a million emails between February and July 2017 had been sent to Leave.EU subscribers, including marketing information about GoSkippy, without their consent.
It also imposed a £15,000 fine for a separate “serious” breach after a Leave.EU newsletter was sent to more than 319,000 email addresses on Eldon’s customer database.
A final decision is still to be reached on an alleged breach relating to the company’s overall handling of personal data.
The Vote Leave campaign
Vote Leave, not Leave.EU, was chosen as the official Leave campaign for the 2016 referendum, and worked with a Canadian analytics firm called AIQ.
The ICO focused its investigation on whether, under this arrangement, UK data had been processed in Canada outside UK data protection laws.
It said it had found no evidence Vote Leave had “transferred or processed personal data outside the UK unlawfully – or that it processed personal data without the consent of data subjects”.
But it said it was investigating how Vote Leave delivered “electronic marketing communications” and whether its actions were a breach of privacy rules.
“We do have cause for concern and we will be reporting on this imminently,” it added.
The ICO said it was still looking at how the Remain side handled personal data during the EU referendum campaign.
This includes looking at “the collection and sharing of personal data by Britain Stronger in Europe and a linked data broker”, as well as “inadequate third party consents”, which were similar to issues investigated on the Leave campaigns, it said.
It also investigated a claim that the Liberal Democrats had sold the personal data of its party members to the official Remain campaign – Britain Stronger in Europe – for about £100,000.
This was denied by the Lib Dems and the Stronger In campaign.
“We are still looking at how the Remain side of the referendum campaign handled personal data, including the electoral roll, and will be considering whether there are any breaches of data protection or electoral law requiring further action,” the report added.
Did this affect the referendum?
The ICO said the use of personal data to target political messages had to be “transparent and lawful if we are to preserve the integrity of our election process”.
“We may never know whether individuals were unknowingly influenced to vote a certain way in either the UK EU referendum or in the US election campaigns,” it said.
“But we do know that personal privacy rights have been compromised by a number of players and that the digital electoral ecosystem needs reform.”
How wide are the ICO’s concerns?
The ICO said it had questioned more than 170 organisations and gathered 700 terabytes of data – the equivalent of 52.2 billion pages of evidence – and it hasn’t finished yet.
Although its Brexit campaign-related findings will dominate today’s reports, its concerns go wider.
The watchdog’s report said all the UK’s 11 major political parties were engaged in risky behaviour and it had sent each a formal warning.
Specifically, the ICO is worried about their use of third-party data brokers and analytics firms that pull in and process the public’s personal information via a variety of sources without necessarily checking that consent has been properly obtained.
In addition, it believes that self-regulation by Facebook and other social media firms has not been consistent or rigorous enough and now believes a code of practice “enshrined by law” is required to govern the way their data and platforms are used.
The regulator also highlighted deep concerns about university researchers’ handling of personal data.
It said that while measures were in place to try to make sure academics behaved ethically, the same could not be said for whether they had taken enough steps to protect the public’s information – particularly in cases where the same academics also did work for private companies.
As a result, the ICO said it was now working with the higher education sector to make sure privacy rules are followed.