Very simple sites can violate it. For one example: if you, or anything in your stack, logs IP addresses you need a legitimate business interest to do so. It is needed for security and usage statistics and stuff but you will need a lawyer to explain that when you get hit with some fines.
> but you will need a lawyer to explain that when you get hit with some fines.
This is really just scaremongering. Usually there are exceptions to a rule but here I feel fairly comfortable saying: show me a single case where someone got "hit with some fines" and then they needed a lawyer to "explain" things in a lawyery manner and then suddenly everything was fine whereas it wasn't when the site owners responded to an inquiry in normal human language.
If you don't do tracking for no reason and aren't blatantly invading privacy, you'll get a warning if anything -- and for a USA-only site, no country's DPA feels responsible anyway so I'd be highly surprised if they even got to the warning phase even if you were doing something wrong.
I know there are technically some requirements in every privacy policy, e.g. mentioning which rights the user has (I'm not in favor of having those, citing the law in every policy makes them much longer than necessary to read and dilutes the real content, and also it makes it so that you can't have a legal website without complying with the EU's specific laws -- that won't scale if all ~190 countries in the world try to pull that crap), but that's not the same as needing to lawyer up to wave away fines that you got hit with out of the blue as a website that had nothing to do with the EU in the first place.
First you would get a request from a private citizen to explain. And -if you can indeed explain- it would seldom go further than that.
Possibly it'd be nice to have some boilerplate and possibly config tweaks for some of the most common default server configurations though. (Eg. for a standard Wordpress site).
