The California-headquartered company failed to protect users' information and then failed to be clear about how that information had been harvested by others. That was the conclusion of a major report into whether personal data had been misused by both sides during the EU referendum.
Facebook and Cambridge Analytica have been under scrutiny since it emerged that an app had been used to harvest the data of millions of Facebook users around the world, with the total number of people affected now at 87 million.
The watchdog launched its formal inquiry into the use of data analytics to target voters in March last year amid concerns that Britons’ privacy could be put at risk by new campaign tactics, with a particular focus on the Brexit campaign.
The investigation included political parties, data analytics companies and social media platforms.
In a progress update to a parliamentary select committee, the ICO said it had served Facebook with a notice of intent to issue its maximum fine after it found the company had twice breached the Data Protection Act 1998 (DPA). A final decision will be made after the social media giant has had a chance to respond.
While a fine of £500,000 is the biggest possible punishment available to the ICO, it is the same amount of money that Facebook makes in just a few minutes.
The fine may have been much larger if the breach had taken place under the EU's new data protection regulations. As part of those rules, known as GDPR, firms can be fined up to 4 per cent of their global turnover for data breaches, but the ICO said the timing of the breaches meant it could not use those new powers.
It also wrote warning letters to the main political parties and set out plans for a criminal prosecution against SCL Elections, parent company of Cambridge Analytica, which was shut down following revelations about its use of Facebook data.
Elizabeth Denham, the information commissioner, said: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law."
She added: “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
In a separate report, titled Democracy Disrupted? Personal information and political influence, the ICO called for the government to introduce a statutory code of practice for the use of personal data in political campaigns.
The official Brexit campaign group, Vote Leave, remains under investigation into whether it breached the DPA by allegedly transferring UK citizens’ personal data outside the UK.
Leave.EU, the unofficial Brexit campaign headed by former Ukip leader Nigel Farage, is under investigation over allegations it used customer data shared by an insurance company for political campaign purposes.
The Remain campaign, Britain Stronger in Europe, is being probed into its collection and sharing of personal data, specifically in regards to “inadequate third party consents”.
The ICO said it sent warning letters to 11 political parties in total cautioning about personal data use, and notices compelling them to agree to audits of their data protection services.
Damian Collins, chair of the DCMS committee said: "Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way.
"This cannot by left to a secret internal investigation at Facebook.
"If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed."
Erin Egan, chief privacy officer at Facebook, said: "As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015.
"We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We're reviewing the report and will respond to the ICO soon."
More about: Facebook