The UK Information Commissioner's Office followed through with its plan to fine Facebook £500,000 ($645,000 or AU$912,000) over the harvesting of users' data.
The agency said in its penalty notice that data from at least 1 million British users was "unfairly processed" and that Facebook "failed to take appropriate technical and organisational measures" against that happening.
The fine, tied to the, is the maximum amount allowed under the Data Protection Act 1998. The ICO issued in July.
"Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better," Elizabeth Denham, the information commissioner, said in a statement.
"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR."
Facebook noted that it's reviewing the decision, highlighting the previous admission that it "should have done more" to probe the Cambridge Analytica claims in 2015.
"We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users' data was in fact shared with Cambridge Analytica," a Facebook spokesperson said in an emailed statement.
"Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received."
The fine is indeed a fraction of the amount Facebook could have faced if the-- the EU law that gives citizens more control over their personal data -- had been in effect. The GDPR would've allowed for a maximum fine of 20 million euros or 4 percent of a company's annual global revenue from the year before, whichever is higher.
The social media giant's annual revenue in 2017 was nearly $40 billion, which would have meant a possible fine of $1.6 billion under the GDPR rules.
The ICO didn't immediately respond to a request for further comment.
Erin Egan, Facebook's chief privacy officer, said at a privacy conference Wednesday at the European Parliament in Brussels that the company would support comprehensive federal privacy regulation in the US.
First published Oct. 25, 2:10 a.m. PT.
Update, 3:37 a.m. PT: Added new Facebook statement, with a line about Cambridge Analytica servers. Update, 9:30 a.m. PT: Added ICO statement.
The Honeymoon Is Over: Everything you need to know about why tech is under Washington's microscope.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.