Credit reference agency Experian has been sharing the personal information of millions of people without consent and must stop, the UK's information commissioner has ruled.
The firm sold on the data to businesses that used it to identify who could afford goods and services, as well as to political parties.
The company must make "fundamental changes" to how it handles data or face a huge fine, the watchdog said.
Experian has said it will appeal.
"We believe the ICO [Information Commissioner's Office]'s view goes beyond the legal requirements," the Dublin-based firm said in a statement.
"This interpretation also risks damaging the services that help consumers, thousands of small business and charities, especially as they try to recover from the Covid-19 crisis."
While Experian has made efforts to improve its practices, the ICO said they did not go far enough.
The company now has nine months to satisfy the regulator or face fines of up to £20m, or 4% of its global turnover, whichever is higher.
The two-year investigation was prompted by a complaint from the campaign group Privacy International.
It found that Experian and two other credit reference agencies - Equifax and TransUnion - did a significant amount of "invisible" processing of data, meaning that people did not know it was happening.
All firms provide a way for people to check their credit score for loans and credit cards.
But they are also data brokers, collecting and selling on information gathered from a variety of sources.
The report found that the agencies had access to the data of almost every adult in the UK, which was then "screened, traded, profiled, enriched, or enhanced to provide direct marketing services".
This processing resulted in "products that were used by commercial organisations, political parties and charities to find new customers and build profiles about people", the investigation stated.
The probe was limited to offline data broking, so did not include data collected about online behaviour.
That is being investigated by the ICO separately.
Equifax and TransUnion do not face further action from the watchdog because both made changes, including withdrawing some products and services. The report did not specify what these products and services were.
All three credit reference agencies failed to clearly explain what they were doing with people's data, said the ICO, despite this being a requirement of the General Data Protection Regulation (GDPR).
"The data broking sector is a complex eco-system where information appears to be traded widely without consideration for transparency, giving millions of adults in the UK little of no choice or control over their personal data," said Information Commissioner Elizabeth Denham.
Experian still needs to:
- inform people that it holds their personal data and how it is using or intends to use it for marketing purposes
- stop the processing of any personal data that has been collected unlawfully under GDPR rules
- stop screening out prospective customers from marketing lists on the basis of financial status
Privacy International's executive director said other countries should carry out follow-up investigations of their own.
"As the UK regulator notes, people don't even know the names of most of these companies and yet they hold everyone's data," said Gus Hosein.
"We believe the deck is stacked against people and this can't continue."