The RSPCA and British Heart Foundation (BHF) have been fined by the data watchdog for secretly screening millions of their donors so they could target them for more money.
Information Commissioner Elizabeth Denham fined the RSPCA £25,000 and the BHF £18,000 after an investigation found that the so-called "wealth screening" was one of three different ways both charities breached the Data Protection Act.
The charities also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources, the Information Commissioner's Office (ICO) found.
They also traded personal details with other charities creating a massive pool of donor data for sale.
Donors were not informed of these practices, and so were unable to consent or object to them.
Ms Denham said: "The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn't enough. And they will be upset to discover that charities abused their trust to target them for even more money."
She warned that other charities could also be engaged in similar activities.
"This widespread disregard for people's privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator's fine for their charity's misuse of personal information."
The fines could have been up to 10 times higher, but Ms Denham said she had exercised her discretion to impose lower penalties.
The Charity Commission confirmed it had open compliance cases into both charities.
Sarah Atkinson, director of policy and communications at the Charity Commission, said: "The fact that charities have been found in contravention of data protection requirements in this way is very serious and highly regrettable.
"Charities rely on public generosity to carry out their important work. In return, the public trust charities to raise money in a considerate and responsible way and to use it effectively. The law requires, and the public expects, this will include safeguarding donors' personal data.
"We are working with the charities concerned, the Information Commissioner and the new Fundraising Regulator, to ensure that any necessary remedial action is taken. The wider lessons for charities about their responsibility to protect donors' personal data must be shared and acted on."
The two charities employed wealth management companies to analyse the financial status of supporters to estimate how much more money they could be persuaded to give.
The RSPCA told the ICO that it repeatedly wealth-screened all seven million of its supporters without their consent.
During the investigation, the RSPCA told the ICO the practice was common, it had been doing it since 2010 and it had no plans to stop.
The BHF told the ICO it had been screening donors since "at least" 2009.
Between April 2010 and August 2014 it provided records to wealth management companies containing the personal data of several million people.
During the investigation, the BHF told the ICO it had no plans to continue screening.
A Downing Street spokesman said: "On the issue of charities and data protection, they are no different to any other bodies. They must comply with the data protection legislation which exists.
"The Government has been working with charities to make sure that the practices that had been highlighted by the ICO aren't repeated."
BHF chief executive Simon Gillespie indicated the charity would consider challenging the ICO's "wrong, disproportionate and inconsistent" decision.
He said: "We are extremely disappointed in the action the ICO has taken. The trust our supporters put in us demands high standards of fundraising and we take the data protection responsibilities that come with this very seriously.
"The British Heart Foundation has endeavoured to ensure our practices follow ICO and Institute of Fundraising guidelines and we are committed to constantly evolving and improving our approach.
"We find the decision surprising as earlier this year in June the ICO praised our data handling and said that they had no concerns about us as a data controller.
"In June 2015 we took the decision never to share our supporters' data with other fundraisers and we have made it clear to our supporters that this is the case.
"We believe that key aspects of the ICO's decision and findings are wrong, disproportionate and inconsistent. Our trustees will therefore consider whether it's in the interests of our supporters and beneficiaries to challenge this decision."
The RSPCA confirmed it no longer carried out data matching or wealth screening and said it disagreed with the ICO's conclusions.
Chief executive Jeremy Cooper said: "We are disappointed at the ruling and disagree with the conclusions drawn by the ICO.
"There is no suggestion that we lost or sold any personal data, but rather the ICO considered the information we gave to supporters on how their personal data would be used was inadequate.
"There has been one acknowledged contravention, through an inadvertent error, which we ourselves brought to the ICO's attention.
"We always strive to ensure that our practices fully comply with all relevant legislation and are carried out to a high standard. We are listening to the public and are changing the way we ask people to support our vital work which meets their needs and expectations, whilst safeguarding potentially vulnerable people.
"Our supporters and members are the heart of the society. It is only thanks to them that we can do the work we do rescuing, rehabilitating and rehoming thousands of animals each year."