[TotempaaltJ]

Not quite. It does base some of its ruling on the consent string (it's the only personal data the IAB manages), but it does also conclude that the IAB is just as responsible as any complying participants. From what I understand, it argues that the IAB sets minimum requirements for the consent screens and ad serving, and those are not good enough.

See also page 126 for a summary of the ruling. An editorial of my favourites:

> order the defendant to

> a. prohibit, via the terms of use of the TCF, the reliance on legitimate interests as a legal ground for the processing of personal data by organisations participating in the TCF

> d. take technical and organisational measures to prevent consent from being ticked by default in the consent interfaces

> e. force consent management platforms to adopt a uniform and GDPR-compliant approach to the information they submit to users

[pixelkaiser]

The whole thing is based on them declaring the IAB the controller of PII data (in this case the consent string). If upheld all the things you list will apply because these are the responsibilities of data controllers as per GDPR. If the TCF string was not deemed PII data then there would not be a controller because the GDPR would not apply.

IMHO, if they were really serious about this, they would have to go after the actual controllers (not the inventor of the spec) - mainly the actual websites that implement these (misleading) banners in the first place. It's beyond me how they can qualify the IAB as a controller when they never collect, process or store any of TCF data.

If this wasn't so politically charged I'd say the IAB has a solid shot of getting this overturned in court.

[simpss]

this is just the first step. If the consent string wasn't PII, all the other data tied to the consent string would not be PII as well, because this is the cookie that brings all the data together.

So now that we have confirmed that they do indeed process PII and use the consent string as the unique identifier that ties the whole profile together we can start doing what you want. Going after the companies that attach other datasets to the consent string.

Before this ruling, the companies/controllers would have said that we process no personal data, thus GDPR doesn't apply. Now we have a ruling, saying that this is not a valid excuse.

[pixelkaiser]

"Before this ruling, the companies/controllers would have said that we process no personal data, thus GDPR doesn't apply."

That is not correct. These companies use TCF because the GDPR applies. If it did not - they would not have to use it. The GDPR automatically applies as soon as cookies come into play - regardless of what is in the TCF string.

The main thing here is not that PII data comes into play but that the IAB is the controller. Until now the controller was/is the website that actually controls (and passes to 3rd parties) user data. That is why you have to agree to joint controller agreements if you want to integrate the TCF frameworks on larger web sites.

Some background in IPs: The ruling mentions the reason TCF is PII because it can be combined with IP addresses. No one challenges IP addresses as PII data anymore. There were many ruling that classify IPs as PII - specifically in Germany (even pre GDPR).