We do not disclose any nonpublic personal information about you to anyone, except as permitted by law.
“Except as permitted by law”. How reassuring. Is it really necessary to have an official policy promising that that you won’t break the law? And actually stating that they promise to follow the law on this specific issue raises the question, “So are they willing to break the law with regard to other issues?”
This sentence basically means, “We reserve the right to disclose nonpublic personal information about you to the fullest extent permitted by law.”
In particular, later in that paragraph, it states that
… we may disclose the information we collect, as described above, to companies that perform administrative or marketing services on our behalf…
In other words, “We may disclose nonpublic information about you to people who will try to sell you stuff.”
All the regulations about privacy disclosure statements hasn’t actually secured anybody’s privacy, since the regulations only require disclosure; they don’t require that they actually do anything to protect your privacy.