24 Hour Fitness won't let you unsubscribe from marketing spam, so I fixed it

Source: Hacker News

24 Hour Fitness has a broken unsubscribe page. You receive one of their marketing emails, click the unsubscribe link at the bottom, and are taken to:

https://www.24hourfitness.com/members/unsubscribe

After entering your email and clicking unsubscribe, you get a mysterious error message in Spanish.

I found the bug—a single line of JavaScript—and reported it in November 2025. No response, so I built my own unsubscribe page.

“The audacity of a Spanish error message on a US gym website.” — Claude

What the heck is this? 🤔

Error de conexión al obtener el token de OneTrust.

OneTrust is an American software company that develops privacy, security, and data‑governance tools, including consent‑management platforms.

The irony: OneTrust is a consent‑management platform, yet 24 Hour Fitness is using it in a way that violates consent regulations. The error appears in Spanish for some unknown reason.

This is actually illegal

The CAN‑SPAM Act requires commercial emails to provide a working opt‑out mechanism. Violations can result in substantial fines:

• Verkada: $2.95 million (2024) – ignored opt‑out requests.
• Jumpstart Technologies: $900,000 (2006) – failed to process opt‑outs in time.
• Experian: $650,000 (2023) – sent emails that could not be opted out of.

Each individual email can carry a penalty of up to $53,088.

Marketing email = psychic attack

I don’t subscribe to newsletters, Substacks, or blogs I care about. My inbox is for communication, not marketing. Since October 2025 I’ve received 40 marketing emails from 24 Hour Fitness, each linking to the same broken unsubscribe page. Every email feels like a “psychic attack” on my attention. Sample subject lines include:

• “I’m paying for this membership.”
• “I can’t opt out of their spam.”
• “This is evil.”

This isn’t new for 24 Hour Fitness

A Reddit post from February 2019 describes the same issue:

Reddit discussion

The problem has persisted for at least seven years. Not only is it hard to cancel a gym membership, it’s also hard to escape their marketing emails. I hope they fix this; thousands of users are likely affected.

I reported it. No response.

I submitted a bug report via their contact form in November 2025. Their reply:

“Thank you Ahmed, for reaching out! We will make sure your comments are forwarded to the appropriate person. Please be assured we are doing our best to follow up as soon as possible, typically within 10 business days.”

Weeks passed with no follow‑up. The bug remains, and the emails keep coming.

The one‑line JavaScript fix

Inspecting the code revealed an embarrassingly simple mistake:

$.ajax({
    type: "POST",
    url: m.urlPost,
    data: JSON.stringify({...}),
    contentType: !1,  // BUG: !1 === false
    // ...
})

contentType: false tells jQuery to omit the Content‑Type header, but the server expects JSON and therefore rejects the request.

Fix:

contentType: "application/json"

Changing this single line resolves the issue.

So I built my own unsubscribe page

My custom page calls the same API with the correct header, and it works flawlessly. If anyone on the 24 Hour Fitness engineering team sees this, please apply the one‑line fix.