A persistent JavaScript bug in 24 Hour Fitness's unsubscribe system prevents members from opting out of marketing emails, prompting a developer to build an alternative solution while highlighting potential CAN-SPAM Act violations.
For months, 24 Hour Fitness members attempting to unsubscribe from marketing emails encountered a perplexing roadblock: a Spanish-language error message appearing on the company's official unsubscribe page (https://www.24hourfitness.com/members/unsubscribe). Developer Ahmed Kaddoura traced this issue to a single misconfigured line of JavaScript code in the gym chain's opt-out system.
The technical failure occurs when users submit their email through the unsubscribe form. The underlying JavaScript code uses contentType: !1 (equivalent to false) in its AJAX request, preventing the server from recognizing the data format. The OneTrust consent management platform – ironically designed to ensure regulatory compliance – rejects the request with an "Error de conexión al obtener el token de OneTrust" message.
This malfunction has significant legal implications. Under the CAN-SPAM Act, commercial entities must provide a functional opt-out mechanism. Recent enforcement actions demonstrate serious consequences for violations:
- Verkada's $2.95 million settlement (2024)
- Experian's $650,000 penalty (2023)
- Maximum penalties of $53,088 per non-compliant email
Kaddoura documented receiving 40 marketing emails since October 2025, all linking to the broken unsubscribe page. The messages ranged from promotions for "BUM Energy Cases" to personal training offers and holiday discounts – communications he characterizes as "psychic attacks" on user attention.
Historical evidence suggests this isn't an isolated incident. Reddit threads from as early as 2019 describe identical unsubscribe failures, indicating the bug has persisted for nearly seven years despite user reports. Kaddoura submitted a formal bug report through official channels in November 2025 but received only an acknowledgment with no subsequent resolution.
The developer's analysis revealed the solution requires just one code modification: changing contentType: !1 to contentType: "application/json". When 24 Hour Fitness failed to implement this fix, Kaddoura engineered an alternative: a functional unsubscribe page that bypasses the broken interface by directly calling the API with correct headers.
This case highlights how minor technical oversights can cascade into significant compliance risks and user experience failures. The persistence of the bug across multiple years suggests systemic issues in how organizations prioritize and address customer-reported technical debt, particularly when it intersects with legal obligations around user consent.
The situation underscores a growing tension between marketing automation systems and regulatory frameworks, where a single misconfigured parameter can transform a compliance tool into an instrument of violation. As Kaddoura notes: "I'm paying for this membership. I can't opt out of their spam. This is evil."
Comments
Please log in or register to join the discussion