The social networking platform has been accused by the Information Commissioner's Office (ICO) of allowing a "serious breach" of the law to occur.
In a statement, the ICO explained: "Between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply 'friends' with people who had.
"Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform."
Facebook - which was handed the maximum fine allowed under the old data protection rules - has confirmed that it is currently reviewing the ICO's ruling.
The company said: "While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015."
The ICO told Facebook in July that it intended to impose the maximum fine.