Update (2026-02-22): This article hit #2 on Hacker News and the bug appears to be fixed now.
I like my email subscription-free. I don’t want your blog, newsletter, Substack, etc. in my inbox, even if I love your writing. And I definitely don’t want 30% off creatine coupons from my gym.
The unsubscribe link at the bottom of 24 Hour Fitness’ marketing takes you to https://www.24hourfitness.com/members/unsubscribe
You enter your email and click unsubscribe. You get a mysterious error message in Spanish.
I found the bug. It's one line of JavaScript. I reported it back in November 2025 and got no response, so I built my own unsubscribe page.
In English: "Connection error while retrieving the OneTrust token."
OneTrust is governance, risk, and compliance software. Emails you can’t opt-out of are illegal under the CAN-SPAM Act. The FTC fined Experian $650,000 in 2023 and Verkada $2.95 million in 2024 for ignoring opt-out requests.
This isn't new for 24 Hour Fitness. I found this Reddit post from February 2019 — almost 7 years ago, same problem.
I submitted a bug report via their contact form in November 2025.
They replied: "Thank you Ahmed, for reaching out! We will make sure your comments are forwarded to the appropriate person. Please be assured we are doing our best to follow up as soon as possible, typically within 10 business days."
Months later and the unsubscribe page is still broken.
The fix
I inspected the webpage and the bug is embarrassingly simple:
$.ajax({
type: "POST",
url: m.urlPost,
data: JSON.stringify({...}),
contentType: !1, // BUG: !1 === false
...
})contentType: false tells jQuery to skip the Content-Type header. The server expects JSON. It rejects the request.
Here’s the one-line JavaScript fix:
contentType: "application/json"I implemented my own webpage hosted on this domain which calls the same API but with the correct header.
Getting spammed by 24 Hour Fitness marketing emails?
Unsubscribe Now →If you know someone on the 24 Hour Fitness engineering team, please share this with them.