I don't understand the findings. The TCF system doesn't collect personal information. The spec is at [0]. CMPs are the popups responsible for creating the TCF string. The IAB provides a spec for how these should operate, but does not supply one of its own. These can absolutely misbehave, and the IAB has previously notified the adtech industry about known misbehaving CMPs.
My understanding so far is that the TCF allows providers to accept 'legitimate interest' (instead of direct user consent) as a valid legal basis to store or process user data. This is commonly used for user tracking and advertisement / profiling, meaning you'll get tracked even if you clicked the 'Reject All' button.
My understanding is that Legitimate Interest is something defined by the GDPR lawmakers, not the IAB. If so, and now it appears that LI is not a valid legal basis, then every business operating in Europe needs to be concerned with this ruling, not just adtech.
For example, HN probably collects my IP address under LI. Now it may be illegal for it to do that.
It's defined in GDPR as something that 'can be reasonably expected for the business' and has 'little risk of infringing on privacy'. They specifically list fraud prevention, information security, dealing with employee data, as valid use cases. Marketing most definitely is not.
This move is basically clarifying that you can't simply claim legitimate interest for most advertising purposes, which the TCF was encouraging/facilitating.
[0] https://github.com/InteractiveAdvertisingBureau/GDPR-Transpa...