I've helped hundreds of companies deal with privacy policies, and you're stuck in the middle. If it's too detailed, then people complain because it's hard to understand. If it's not detailed enough—and this happened with some of the early decisions when PIPEDA first came in—then you're not giving enough information to allow informed consent. So you're caught in the middle.
It can't be too long and complicated, but sometimes it has to be. At the same time, it can't be too simple and too short because then you're leaving things out and you're not telling them enough to give informed consent. It's a very difficult balance to get. Clearly, if you're risk averse, you're going to say more rather than less, and that makes it more complicated. I don't think there's an easy answer. Some people have tried. I must say that the efforts that have been made are sometimes very amusing, but they're not particularly informative.