A pro-Brexit campaign and insurance company both run by Arron Banks are facing a fine by the UK data watchdog.
The Information Commissioner's Office [ICO] found that the political campaign used access to the personal data of customers of Eldon Insurance to unlawfully send them political marketing material.
The business and campaign have been told of the ICO's intent to fine them a total of £135,000.
They have been given until 5 December to respond to the ruling.
The ICO called the emails a "serious breach" of data protection law, with almost 300,000 sent to the insurance company's customers containing a Leave.EU newsletter.
More than a million messages were also sent to Leave.EU subscribers marketing the insurance firm, which traded under the name GoSkippy.
Mr Banks, 52, is a self-made millionaire who has donated big sums to anti-EU political causes including UKIP ahead of the 2016 referendum.
He owns Eldon Insurance firm and co-founded Leave.EU.
It comes as Mr Banks faces a criminal inquiry into "suspected electoral law offences" relating to the EU referendum campaign.
The Electoral Commission announced last week there were "reasonable grounds" to suspect that Mr Banks was not the true source of £8m in loans made to the Better for the Country organisation, which ran his group Leave.EU.
A "number of criminal offences may have been committed", it added, also referring Leave.EU's chief executive Elizabeth Bilney for investigation.
More from Politics
Responding to that investigation, Mr Banks insisted there was "no evidence of any wrongdoing from the companies I own".
He told Sky News there was a "witch hunt" against him and that the Remain campaign was "trying to tarnish the Brexit campaign".