The United Kingdom's data protection watchdog intends to fine Facebook £500,000 for data breaches which is the maximum allowed.
The Information Commissioner's Office said Facebook had failed to ensure another company - Cambridge Analytica - had deleted users' data.
The ICO will also bring a criminal action against Cambridge Analytica's defunct parent company SCL Elections.
And it has raised concerns about political parties buying personal information from "data brokers".
Specifically it named one company used by the Labour Party, Emma's Diary, which gives medical advice and free baby-themed products to parents.
Facebook said it would respond to the report "soon".
The ICO also said another company - Aggregate IQ - which worked with the Vote Leave campaign in the run up to the EU Referendum, must stop processing UK citizens' data.
The fine is modest compared with previous sanctions on Facebook.