A company that offers pregnant women and new parents health advice and gifts, faces a fine for illegally sharing more than a million people's personal data with the Labour Party.
The UK's data watchdog intends to issue the owner of the Emma's Diary service a £140,000 penalty.
It said Lifecycle Marketing had sold the data for use in the 2017 general election campaign without disclosing it might do so.
The firm disputes the findings.
It said it had not been given an opportunity to respond to the Information Commissioner's Office's complaints before the report was published
"As a result, details of the ICO's findings, including those being reported by the press, contain significant factual inaccuracies which we trust will be corrected," said a spokeswoman for Lifecycle Marketing.
"This includes the untrue claim that we sold data from expectant mothers to the Labour Party. Furthermore, Lifecycle has never been, nor ever will be, involved in collecting data from mothers in maternity wards."
It is common for political parties to buy personal information to target their campaigns, but appropriate consent must have been obtained by the providers.
Labour has said that it will review its "approach to acquiring data from third parties" in light of the report.
One legal expert said the intervention was likely to cause wider concern.
"After the Obama campaigns, political parties saw the need to step up their data game, and at the time the playing field was not worked out," said Sam Fowles from Cornerstone Barristers.
"They will certainly be worried now about whether they overstepped the mark in light of this."
Mothers and children
The Information Commissioner's Office revealed its planned punishment in a footnote to a report about the misuse of personal data during the Brexit referendum.
It said it would not normally announce its intention to impose a fine until it had completed its inquiries, but believed in this case that there was an "overriding public interest to do so".
The ICO said that on 5 May 2017, Lifecycle Marketing has supplied 1,065,200 records to the data broker Experian Marketing Services for use by Labour.
Each record included:
- the name of the parent who had joined Emma's Diary
- their home address
- whether children up to the age of five were present
- the birth dates of the mother and children
The ICO said the Buckinghamshire-based Lifecycle Marketing had understood the data would be used by a mail campaign promoting Labour's family-friendly policies in 106 constituencies.
Emma's Diary is promoted by the Royal College of General Practitioners among others, and its information packs are distributed by many GPs and midwives.
The benefits of joining include tailored emails with pregnancy and breastfeeding advice, as well as discount vouchers for high street stores and gift packs including nappies, baby wipes and other similar items.
A companion app also allows mothers-to-be to keep a journal of their pregnancies and make a time-lapse video of their growing bumps.
But while the policy had listed several business sectors and specific companies that might get the data, the ICO said there had been no mention of political parties.
In fact, the watchdog added, the policy was only amended to do so in January 2018 after the ICO had told the company it was under investigation.
This, the regulator concluded, breached the Data Protection Act's "fairness" requirement that organisations be transparent about how gathered personal data might be used.
It added that there may also have been a breach of the European Convention on Human Rights.
In considering the size of its penalty, the watchdog said it had taken into account that it understood Lifecycle Marketing had not shared personal data with a political party on any other occasion, and had expected the information to be deleted after the general election vote.
But it added that it was not clear how the firm could be confident that the data had indeed been permanently erased.
The ICO added that it would make a final ruling after hearing back from Lifecycle Marketing, and would confirm the size of the penalty on or after 30 July.
"[We] will be submitting our written representations to challenge the ICO's findings in accordance with the usual process," said a spokeswoman for Lifecycle Marketing in response.
The Royal College of General Practitioners acknowledged it had a "long-running relationship" with Emma's Diary but added that it "does not hold or receive data and has had no involvement in the case being investigated".
Experian Marketing Services said that it was aware of the ICO's concerns and would "remain vigilant when it comes to data security and integrity".
The ICO has said it wants the UK's 11 main political parties to have their data-sharing practices audited later this year and said it also has "outstanding enquiries with a number of data brokers".
"[In the past] there had been a much looser interpretation of the fairness principle, and it wasn't applied as tightly and rigorously as it has been in this case," Mr Fowles explained.
"Now we see this is the direction of travel for the Information Commissioner, companies and political parties are going to have to think very carefully about what they told people when they took data from them."