Another day, another reminder that companies don’t really have to abide by promises to not share your personal information. They have a big “but” in their contracts.

Last week, it was WhatsApp and Facebook. We’ll get to that in a moment.

This week, millions of Sports Authority customers began receiving notices that their e-mail addresses and other data were about to be transferred to competitor Dick’s Sporting Goods. The transfer is legal because Sports Authority declared bankruptcy and sold off its spare parts this summer. Dick’s, smartly and legally, bought the customer information. According to the L.A. Times, a treasure trove of 25 million e-mails and some other data cost Dick’s $15 million. So you might not think your data is valuable, but someone sure does.

First, here is your need-to-know. The transfer is happening right now. You should look for an email from Sports Authority explaining the terms and how to opt-out. Go to SAPrivacyTransferNotice.com and opt out there if you wish.

(Update: Looks like you’ll need a code from the email, which is an unnecessary and consumer-unfriendly hurdle)

Again, Dick’s is within its rights to do this. And, thanks to the fine print, so is Sports Authority. On its website, the firm had included the language, “We may transfer your personal information in the event of a corporate sale, merger, acquisition, dissolution or similar event.”

But you probably didn’t know that. In fact, when Sports Authority asked for your email, you may have been told, “We won’t share it” by an employee or a web page. Consumers are often told that. It’s a lie, unless it includes the “but,” which is often casually omitted or otherwise missed by consumers.

A few firms have been caught selling off customer information without giving themselves the right to do so and were caught. (Radio Shack ended up settling with 38 states’ attorneys general over this). Corporate lawyers have since wizened up.

Last year, the New York Times did a great analysis of the top 100 websites and 85 had added terms allowing the transfer of customer data in an event like a merger or liquidation.

What’s perhaps even more alarming about this trend is the data transfer does not have to happen right away, when the light is shining brightest. It can happen later, when consumer resistance is sure to be lower.

When Facebook announced it would acquire WhatsApp in 2014 for an astonishing $19 billion, the social media giant promised nervous users it would not suck out their data. Then last week, WhatsApp announced it would, in fact, share phone numbers with Facebook. European regulators are looking into the announcement, and privacy groups have asked the FTC to do the same here in the U.S.

Again, users can opt out, but the process is a bit convoluted. (Click here for an explanation).

What does all this really mean? As privacy researcher Alessandro Acquisti from Carnegie Mellon remarks often, it’s much easier to surrender your privacy than to get it back. The nudges to share information are strong; the fight to protect it or recall it is nearly impossible. So know this: Every time a company asks for your data and tells you it won’t be shared, just assume that’s a lie. Almost certainly, it will be shared or sold or auctioned off some day. If you are fine with that, go ahead and reveal. But do so with your eyes wide open.