When Sports Authority said “everything must go,” it meant everything — including its customers’ personal information.

The Colorado sporting goods retailer, which filed for Chapter 11 bankruptcy protection in March, this week auctioned its intellectual property, including the Sports Authority name, its e-commerce site and about 114 million customers’ files and 25 million email addresses. Dick’s Sporting Goods won with a $15 million bid.

The customer data could help Dick’s land Sports Authority customers looking for a new place to shop. “It’s extremely valuable data for companies to identify customers who are looking for a new home,” said Hemu Nigam, chief executive of SSP Blue and a cybersecurity expert.

As more companies come to understand the value of data, customer information has been auctioned in bankruptcy cases. Yet as consumers work to safeguard their data after breaches at companies such as Target and health insurer Anthem, such sales are another way customers can lose control of their personal information.

“Customer emails are stolen every day (but) they lack awareness that this is a possibility,” Nigam said. “The auction is raising awareness of another way customer data can be sold without even thinking about it.”

Businesses can legally to sell consumer information as long as their privacy policies make it clear that data can be transferred or sold if the company is acquired or goes out of business.

Sports Authority posted its policy on its website: “We may transfer your personal information in the event of a corporate sale, merger, acquisition, dissolution or similar event.”

When a buyer obtains customer information through an acquisition or merger, it often allows new customers to follow the same privacy policy they had with the previous firm. But it’s not guaranteed.

Vague language in a privacy policy can allow companies to force customers to play by new rules.