The UK Information Commissioner's Office followed through with its plan to fine
£500,000 ($645,000 or AU$912,000) over the harvesting of users' data.
The agency said in its penalty notice that data from at least 1 million British users was "unfairly processed" and that Facebook "failed to take appropriate technical and organisational measures" against that happening.
"Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better," Elizabeth Denham, the information commissioner, said in a statement.
"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR."
Facebook noted that it's reviewing the decision, highlighting the previous admission that it "should have done more" to probe the Cambridge Analytica claims in 2015.
"We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users' data was in fact shared with Cambridge Analytica," a Facebook spokesperson said in an emailed statement.
"Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received."
The fine is indeed a fraction of the amount Facebook could have faced if the General Data Protection Regulation -- the EU law that gives citizens more control over their personal data -- had been in effect. The GDPR would've allowed for a maximum fine of 20 million euros or 4 percent of a company's annual global revenue from the year before, whichever is higher.
Watch this: Apple, Facebook support more privacy laws
The social media giant's annual revenue in 2017 was nearly $40 billion, which would have meant a possible fine of $1.6 billion under the GDPR rules.
The ICO didn't immediately respond to a request for further comment.