Facebook has been fined £500,000 – the maximum possible – over the Cambridge Analytica scandal in which user data was harvested from tens of millions of people.
The UK's information commissioner imposed the fine for "serious breaches of data protection law".
The Information Commissioner's Office (ICO) had alerted Facebook to the penalty in June under a so-called 'Notice of Intent" and the fine was made public in July.
The ICO said data belonging to 87 million users was improperly accessed by Cambridge Analytica – which has since been shut down.
It believed around one million people were affected in the UK.
The information was used to help Donald Trump's 2016 presidential election campaign.
Facebook broke the law by failing to safeguard people's data and not being transparent about how that data could be harvested, the investigation found.
The penalty is the maximum allowed under the Data Protection Act 1998 but is pocket change for a company valued last year at around $590bn (£445bn).
The scandal took place before new EU data protection laws that allow much larger fines came into force.
In a statement, Facebook said it is "reviewing" the decision.
It said: "While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.
"We are grateful that the ICO has acknowledged our full cooperation throughout their investigation."
Elizabeth Denham, the information commissioner, said: "A company of its size and expertise should have known better and it should have done better.
"This fine was served under the Data Protection Act 1998. It was replaced in May by the new Data Protection Act 2018, alongside the EU's General Data Protection Regulation (GDPR).
"These provide a range of new enforcement tools for the ICO, including maximum fines of £17m or 4% of global turnover.
"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation.
More from Business
"The fine would inevitably have been significantly higher under the GDPR.
"One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people's personal data."