ECG-Liste & Austrian Email Marketing Compliance

The E-Commerce-Gesetz (ECG)is Austria’s national e-commerce law. It transposes the EU E-Commerce Directive (2000/31/EC) into Austrian law and governs how businesses may conduct commercial communications electronically — including email.

Unlike many EU member states that fold e-commerce rules into broader consumer-protection legislation, Austria maintains a dedicated statute. The ECG sits alongside the Telekommunikationsgesetz (TKG 2021) and the GDPR to form the three-layer compliance framework Austrian email senders must satisfy.

§7 ECGis the section directly relevant to email marketing. It introduces Austria’s distinctive opt-out register and imposes identification requirements on every commercial email sent to recipients in Austria.

Austria operates a national opt-out register called the ECG-Liste, maintained by the regulator Rundfunk und Telekom Regulierungs-GmbH (RTR). Any natural or legal person may register their email address on the list to signal that they do not wish to receive unsolicited commercial email.

The obligation applies to senders targeting Austrian recipients regardless of where the sender is established. A Dutch or German company sending to Austrian addresses must comply with §7 ECG just as an Austrian company would.

RTR provides an API and a downloadable file for bulk lookups. The register is updated continuously; senders should refresh their suppression list at least once per month or before each campaign send, whichever is more frequent.

Beyond the ECG-Liste check, §7 ECG imposes three substantive requirements on every commercial email sent to Austrian recipients.

• Clear identification as commercial communication

  The commercial nature of the message must be immediately recognisable — at a glance, before the recipient opens the email. Subject-line obfuscation that hides the promotional intent of a message violates this requirement.

• Sender identity must be disclosed

  The natural or legal person on whose behalf the communication is sent must be clearly and unambiguously identified in the message. A trading name alone is insufficient if it does not allow identification of the legal entity behind it.

• Opt-out must be easy and honoured promptly

  Every commercial email must contain a clear, operable mechanism for the recipient to opt out of future messages. Opt-out requests must be processed without undue delay and at no cost to the recipient.

When MailRadar detects an Austrian sender or recipient context, the following ECG-specific checks are included in your compliance report.

The Telekommunikationsgesetz 2021 (TKG 2021)is Austria’s telecommunications act, which replaced the earlier TKG 2003 and transposed the European Electronic Communications Code. For email marketers, its most significant provision is the prior consent requirement for marketing communications sent to consumers.

Under TKG 2021, sending direct marketing messages — including email — to natural persons without their prior, freely given, specific, informed, and unambiguous consent is prohibited. This mirrors the ePrivacy Directive (Art. 13) but goes further by requiring that consent be documented and easily withdrawable.

For B2B communications, the rules are less strict: the ECG-Liste check and the §7 identification and opt-out obligations apply, but prior consent is not required if the recipient’s corporate email address is used and the communication is relevant to their professional activity.

A step-by-step checklist for senders who reach Austrian recipients.

1. 1

   Check the ECG-Liste

   Before every send, query the RTR ECG-Liste API or download the current register file. Remove any matching addresses from your send list. Keep a timestamped record of each check.

2. 2

   Collect and document prior consent (B2C)

   For consumer recipients, ensure you hold a documented, affirmative opt-in obtained before sending. Store the date, mechanism, and IP of the consent event. Consent must be granular — a blanket terms-acceptance checkbox is not sufficient.

3. 3

   Identify yourself clearly

   Include your full legal entity name (not just a brand name) in the From field or prominently in the email body. A footer with company name, registered address, and VAT number satisfies this requirement and also covers GDPR Art. 13 disclosure.

4. 4

   Make the subject line honest

   Ensure the subject line makes the commercial nature of the email apparent without requiring the recipient to open the message. Avoid misleading subject lines such as "Re:" or "Fwd:" prefixes on unsolicited emails.

5. 5

   Provide and honour opt-out

   Add a List-Unsubscribe header (ideally RFC 8058 one-click) and a visible unsubscribe link in the body. Process unsubscribe requests within 48 hours. Do not re-add unsubscribed addresses.