Both companies were investigated by the Information Commissioner's Office (ICO) after complaints about the way in which personal information was being processed.
The ICO acted on customer concerns about the way in which new members of staff at Orange were allowed to share user names and passwords when accessing the company IT system.
The ICO found that Orange was not keeping its customers' personal information secure and was therefore in breach of the DPA.
In a separate investigation, the ICO ruled that Littlewoods had failed to process customers' data in line with the DPA.
This followed a customer's attempt to stop the company using her personal data for direct marketing purposes. Despite her requests, Littlewoods continued to send her marketing material.
The ICO has now required both companies to sign a formal undertaking to comply with the principles of the legislation.
Failure to meet the conditions of the undertaking is likely to lead to further enforcement action by the ICO, and could result in prosecution.
"Organisations that process individuals' personal information must do so in compliance with the DPA," said Mick Gorrill, head of regulatory action at the ICO.
"If they do not, they risk further action from the Information Commissioner and risk losing the trust of their customers. Individuals must feel confident that organisations are safeguarding their personal information."
Last month the Information Commissioner called for stronger powers to allow his office to carry out inspections and audits to ensure that organisations are complying with the DPA.
The Commissioner currently has to gain consent before inspecting an organisation for compliance.
All Privacy & Data