The UK's data protection watchdog intends to fine Facebook £500,000 for data breaches - the maximum allowed.
The Information Commissioner's Office said Facebook had failed to ensure another company - Cambridge Analytica - had deleted users' data.
The ICO will also bring a criminal action against Cambridge Analytica's defunct parent company SCL Elections.
And it has raised concerns about political parties buying personal information from "data brokers".
Specifically it named one company used by the Labour Party, Emma's Diary, which gives medical advice and free baby-themed products to parents.
Facebook said it would respond to the report "soon".
The ICO also said another company - Aggregate IQ - which worked with the Vote Leave campaign in the run up to the EU Referendum, must stop processing UK citizens' data.
The fine is modest compared with previous sanctions on Facebook.
In 2017 it was fined 110m euros (£95m) by the European Commission, which in the same year punished Google for 2.42bn euros (£2.1bn).
But information commissioner Elizabeth Denham said companies also worried about reputational damage.
The impact of behavioural advertising, when it came to elections, was "significant" and called for a code of practice to "fix the system", she said.
Such a code would ensure that "elections are fair and people understand how they are being micro-targeted".
The action comes 16 months after the ICO began its probe into political campaigners' use of personal data following concerns raised by whistleblower Christopher Wylie, among others.
The ICO found Facebook had breached its own rules and failed to make sure Cambridge Analytica had deleted this personal data.
While Cambridge Analytica insisted it had indeed wiped the data after Facebook's erasure request in December 2015, the ICO said it had seen evidence that copies of the data had been shared with others.
"This potentially brings into question the accuracy of the deletion certificates provided to Facebook," said an ICO spokesperson
The ICO will also bring a criminal action against Cambridge Analytica's defunct parent company SCL Elections.
And it has raised concerns about political parties buying personal information from "data brokers".
Specifically it named one company used by the Labour Party, Emma's Diary, which gives medical advice and free baby-themed products to parents.
Facebook said it would respond to the report "soon".
The ICO also said another company - Aggregate IQ - which worked with the Vote Leave campaign in the run up to the EU Referendum, must stop processing UK citizens' data.
The fine is modest compared with previous sanctions on Facebook.
In 2017 it was fined 110m euros (£95m) by the European Commission, which in the same year punished Google for 2.42bn euros (£2.1bn).
But information commissioner Elizabeth Denham said companies also worried about reputational damage.
The impact of behavioural advertising, when it came to elections, was "significant" and called for a code of practice to "fix the system", she said.
Such a code would ensure that "elections are fair and people understand how they are being micro-targeted".
The action comes 16 months after the ICO began its probe into political campaigners' use of personal data following concerns raised by whistleblower Christopher Wylie, among others.
The ICO found Facebook had breached its own rules and failed to make sure Cambridge Analytica had deleted this personal data.
While Cambridge Analytica insisted it had indeed wiped the data after Facebook's erasure request in December 2015, the ICO said it had seen evidence that copies of the data had been shared with others.
"This potentially brings into question the accuracy of the deletion certificates provided to Facebook," said an ICO spokesperson