The information watchdog fined Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, a total of £140,000 after it sold the records of a million people to Experian, the world’s biggest credit-checking business.
Experian used the data to create a database to help Labour profile new mothers before the 2017 General Election.
The ICO found that Emma’s Diary’s privacy policies didn’t disclose to customers that the data would go on be used for political marketing or by political parties.
The disclosure failure constituted a breach of the Data Protection Act 1998.
Data commissioner Elizabeth Denham said: “The relationship between data brokers, political parties and campaigns is complex.
“Even though this company was not directly involved in political campaigning, the democratic process must be transparent.”
The ICO said it has put the UK’s 11 main political parties “on notice” to have their data-sharing practices audited later this year.
The watchdog also has outstanding enquiries with a number of data brokers, including Experian.
Ms Denham added: “The ICO is committed to monitoring data brokers, political parties and online platforms and using new audit and enforcement powers so that the public can have confidence that parties and political campaign groups are complying with the law.”
A spokesperson from Lifecycle Marketing said: “The ICO matter is related to data we provided to Experian, some of which was used by the Labour Party for a one-off mailing in connection with Sure Start Children’s Centres.
“We had never previously provided data to a political party and we will never do so again.
“We have always sought to fully comply with our data protection obligations, which we take extremely seriously, we are sorry that on this isolated occasion our interpretation of the DPA has not been in line with the ICO’s.
“We are fully compliant with the new GDPR and give our parents complete control over the communications they receive.”
The advent of the EU’s General Data Protection Regulation (GDPR), which came into effect in May, has meant that the process for giving a company permission to use personal details must be in an “easily accessible form, using clear and plain language”.
Customers must also be told exactly what their information will be used for – and it must be easy for them to opt from having their personal data retained.