I did a similar, deeper review of less policies for my course work in Privacy Protection and Freedom of Information with some of the same conclusions around length & required reading level. It's worse than this though; Orgs like Facebook have dozens of documents that deal with what data they collect and how they will use it. Even identifying what comprises their "privacy policy" is a huge task.
Another massive issue: unilateral, largely uncommunicated changes. Stack Exchange used to have a very handy regular (read: legalese) policy and a parallel "plain language" version that I can't find anymore. They still have a relatively decent policy but that's only because the average quality is so low.
for context I was using Canada's The Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's PIPA which is a scope similar to GDPR in many ways. PIPEDA is an interesting document; it's based on a set of expectations or statements that are decidedly "non legal" in nature which makes it very different from most laws
Another massive issue: unilateral, largely uncommunicated changes. Stack Exchange used to have a very handy regular (read: legalese) policy and a parallel "plain language" version that I can't find anymore. They still have a relatively decent policy but that's only because the average quality is so low.
for context I was using Canada's The Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's PIPA which is a scope similar to GDPR in many ways. PIPEDA is an interesting document; it's based on a set of expectations or statements that are decidedly "non legal" in nature which makes it very different from most laws