Well, the Belgian Data Protection Agency (the Belgian organization responsible for enforcing the GDPR) has fined IAB Europe €250,000 because the TCF “fails to comply with a number of provisions of the GDPR”.
I don’t know whether fining IAB Europe is the correct choice, as they themselves claim they aren’t a data controller and only provide guidance (and a spec) for other companies to use. But the fine itself is not really what is going to be turn out important. The judgement requires:
all recipients of the personal data processed in the TCF . . . to permanently delete all TC Strings and other personal data already processed in the TCF from all IT systems, files and data carriers.
One piece of irony - if you search for articles about this you will find they are nearly all protected by consent dialogs based on TCF.
Here is the full judgement in English.