First of all, there is uncertainty about on what basis an organization can rely on implied consent. I think that needs to be clarified. That can be included in a model code that's simply attached to PIPEDA, and organizations can simply refer to that. That would shorten the privacy policies. Really, then, the content of the privacy policies of organizations would focus on the supplemental information-handling practices.
I would then suggest that those practices be split into two parts, those which, although they deviate from the model code, are still necessary for the provision of the products and services requested by the individual, and then those that are secondary purposes, such as third party marketing.