The campaign group Leave.EU and an insurance company owned by its founder Arron Banks face fines of £135,000 from the UK’s Information Commissioner.
It follows an investigation into the misuse of personal data by political campaigns.
The report says more than a million emails sent to Leave.EU subscribers contained marketing for the Eldon Insurance firm’s GoSkippy services.
The UK voted by 51.9% to 48.1% to leave the EU in the 2016 referendum.
Information Commissioner Elizabeth Denham’s report says that both Leave.EU and Eldon Insurance face fines of £60,000 for the emails – which were sent in the August after the referendum and the following year – which breached data laws.
Leave.EU also faces a £15,000 fine for a separate “serious” breach after emails were sent to Eldon customers containing a newsletter for the Brexit campaign group.
The report added: “We are investigating allegations that Eldon Insurance Services Limited shared customer data obtained for insurance purposes with Leave.EU.”
A final decision is still to be reached on an alleged breach relating to the company’s overall handling of personal data.
The report also says that they are “still looking at how the Remain side of the referendum campaign handled personal data, including the electoral roll, and will be considering whether there are any breaches of data protection or electoral law requiring further action”.
The Information Commissioner’s Office (ICO) report says that in its response to an information notice, Eldon admitted to one incident where a Leave.EU newsletter was incorrectly emailed to Eldon customers, due to an error in managing an email distribution system
“We established that this incident occurred on 16 September 2015, when Leave.EU marketing staff sent an email newsletter, intended for Leave.EU subscribers, to more than 319,000 email addresses on Eldon’s customer database.”
The report also says that Leave.EU and scandal-hit data firm Cambridge Analytica did not pursue a working relationship once Leave.EU failed to obtain designation as the official leave campaign for the 2016 referendum.
It added: “But Leave.EU did explore creating a new organisation, called Big Data Dolphins, with a view to collecting and analysing large quantities of data for political purposes. They explored this project with other organisations, including the University of Mississippi.
“We found no evidence that Big Data Dolphins ever actually functioned, and no evidence that Leave.EU, Eldon or any associated companies had transferred any personal data relating to UK citizens to the UoM.”