Pro-Brexit campaign group Leave.EU and an insurance company owned by its founder Arron Banks face total fines of £135,000 over breaches of data laws.
It follows an Information Commissioner investigation into the misuse of personal data by political campaigns.
The report says more than a million emails sent to Leave.EU subscribers contained marketing for the Eldon Insurance firm’s GoSkippy services.
Mr Banks defended himself on Twitter after the report’s release.
The Information Commissioner’s Office, he said, had found “we may have accidentally sent a newsletter to customers” but “no evidence of a grand data conspiracy”.
He added: “Gosh we communicated with our supporters and offered them a 10% Brexit discount after the vote! So what?”
The Information Commissioner said it had been the “most complex data protection investigation” it had ever carried out, with “an abundance of claims and allegations played out in public”.
It was initially prompted by reports in The Observer about the activities of data firm Cambridge Analytica, which was accused of improperly harvesting millions of Facebook accounts.
The ICO said it had identified “serious breaches of data protection principles” and would have issued a “substantial fine” if the company had not already been in administration.
The report says that Leave.EU and Cambridge Analytica did not pursue a working relationship once Leave.EU failed to obtain designation as the official leave campaign for the 2016 referendum.
It said Leave.EU had explored creating a new organisation with a “view to collecting and analysing large quantities of data for political purposes”, but there was no evidence this had ever functioned.
Fines for Banks
Elsewhere in the report, it highlights what it says is the close relationship between Leave.EU and Eldon Insurance.
Both organisations face fines of £60,000 for emails – which were sent in the August after the referendum and the following year – which breached data laws.
Leave.EU also faces a £15,000 fine for a separate “serious” breach after emails were sent to Eldon customers containing a newsletter for the Brexit campaign group.
The report says that in its response to an information notice, Eldon admitted to one incident where a Leave.EU newsletter was incorrectly emailed to Eldon customers, due to an error in managing an email distribution system
“We established that this incident occurred on 16 September 2015, when Leave.EU marketing staff sent an email newsletter, intended for Leave.EU subscribers, to more than 319,000 email addresses on Eldon’s customer database.”
It added: “We are investigating allegations that Eldon Insurance Services Limited shared customer data obtained for insurance purposes with Leave.EU.”
A final decision is still to be reached on an alleged breach relating to the company’s overall handling of personal data.
The ICO said it was still looking at how the Remain side handled personal data during the EU referendum campaign.
This includes looking at “the collection and sharing of personal data by Britain Stronger in Europe and a linked data broker”, as well as “inadequate third party consents”, which were similar to issues investigated on the Leave campaigns, it said.
It also investigated a claim that the Liberal Democrats had sold the personal data of its party members to the official Remain campaign – Britain Stronger in Europe – for about £100,000.
This was denied by the Lib Dems and the Stronger In campaign.
“We are still looking at how the Remain side of the referendum campaign handled personal data, including the electoral roll, and will be considering whether there are any breaches of data protection or electoral law requiring further action,” the report added.
Did this affect the referendum?
The ICO said the use of personal data to target political messages had to be “transparent and lawful if we are to preserve the integrity of our election process”.
“We may never know whether individuals were unknowingly influenced to vote a certain way in either the UK EU referendum or in the US election campaigns,” it said.
“But we do know that personal privacy rights have been compromised by a number of players and that the digital electoral ecosystem needs reform.”