this is just the first step. If the consent string wasn't PII, all the other data tied to the consent string would not be PII as well, because this is the cookie that brings all the data together.
So now that we have confirmed that they do indeed process PII and use the consent string as the unique identifier that ties the whole profile together we can start doing what you want. Going after the companies that attach other datasets to the consent string.
Before this ruling, the companies/controllers would have said that we process no personal data, thus GDPR doesn't apply. Now we have a ruling, saying that this is not a valid excuse.
"Before this ruling, the companies/controllers would have said that we process no personal data, thus GDPR doesn't apply."
That is not correct. These companies use TCF because the GDPR applies. If it did not - they would not have to use it. The GDPR automatically applies as soon as cookies come into play - regardless of what is in the TCF string.
The main thing here is not that PII data comes into play but that the IAB is the controller. Until now the controller was/is the website that actually controls (and passes to 3rd parties) user data. That is why you have to agree to joint controller agreements if you want to integrate the TCF frameworks on larger web sites.
Some background in IPs: The ruling mentions the reason TCF is PII because it can be combined with IP addresses. No one challenges IP addresses as PII data anymore. There were many ruling that classify IPs as PII - specifically in Germany (even pre GDPR).
So now that we have confirmed that they do indeed process PII and use the consent string as the unique identifier that ties the whole profile together we can start doing what you want. Going after the companies that attach other datasets to the consent string.
Before this ruling, the companies/controllers would have said that we process no personal data, thus GDPR doesn't apply. Now we have a ruling, saying that this is not a valid excuse.