A year into an investigation into the use of data analytics in political campaigns, the U.K.\u2019s privacy watchdog is hitting companies that shared data with political parties with sanctions including a criminal prosecution and a \u00a3500,000 (US$660,000) fine.\nThe Information Commissioner\u2019s Office also plans to audit the activities of 11 political parties and of the main credit reference companies operating in the U.K., amid concerns that data brokers were allowing the personal data of U.K. and other European Union citizens to be processed for political purposes.\n\n[ Beware the 9 warning signs of bad IT architecture and see why these 10 old-school IT principles still rule. | Sign up for CIO newsletters. ]\n\nThe regulator is concerned that citizens whose data ends up in the hands of political parties and the data analytics firms working for them many not have provided the consent called for by data protection legislation.\nAn insurance company, Eldon Insurance Services, is also under investigation, suspected of passing data about its clients to an organization campaigning in the U.K.\u2019s EU membership referendum. One angle ICO is pursuing is whether the company sent data to the U.S., and in particular to the University of Mississippi.\u00a0\nThe stakes are high for businesses that, knowingly or unknowingly, allow their customers\u2019 personal information to be used for political purposes without consent.\nICO said Wednesday that it intended to fine Facebook \u00a3500,000 for lack of transparency and for security issues relating to the harvesting of personal data it held by Cambridge Analytica.\nThe fine Facebook faces is the maximum possible under legislation in effect at the time of the events concerned. Since the introduction of the EU\u2019s General Data Protection Regulation on May 25, though, the maximum fine is now \u20ac20 million (US$23.5 million) or 4 percent of a company\u2019s worldwide revenue, whichever is greater.\nAlthough ICO\u2019s investigation focused on concerns surrounding the conduct of the U.K.\u2019s 2017 general election and the referendum on leaving the EU, Cambridge Analytica\u2019s involvement in politics has been an issue since the 2016 U.S. presidential election campaign, in which the winning Republican candidate also used the company\u2019s services.\nICO intends to bring a criminal prosecution against Cambridge Analytica\u2019s parent company SCL Elections for its failure to provide U.S. academic Professor David Carroll with details of the information it held about him following a Subject Access Request filed in January 2017.\nAnother company, AggregateIQ Data Services, is also in ICO\u2019s sights. The regulator has ordered it to "cease processing any personal data of U.K. or EU citizens obtained from U.K. political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes." The company spent around $2 million targeting Facebook advertising at a list of email addresses on behalf of political groups seeking to influence the U.K. EU membership referendum vote.\nICO has also said it intends to take regulatory action against data broker Lifecycle Marketing (Mother and Baby), which distributes a guide called Emma\u2019s Diary to pregnant women.\nThe net could spread wider, as ICO expects its investigation to continue at least through October.