First, if you collect personal information of individuals residing in California, the California Online Privacy Protection Act (CalOPPA) requires you to have one, regardless of your location. CalOPPA has very detailed requirements for privacy policies, which you can find here
If you don't follow CalOPPA's detailed requirements, the state can fine you up to $2,500 per violation, although you will first receive a 30-day notice to comply.
Second, as you probably already know, if you are subject to the EU's new General Data Protection Regulation (GDPR), you must have detailed "privacy notices," among many other requirements. The specific requirements for those notices are described here
As I noted in my June 4 Legal Briefs column
, if you are outside the EU, you are subject to the GDPR only if you specifically target EU residents with offers or you track the online behavior of EU individuals for marketing purposes. The vast majority of U.S. agencies with some EU clients do not do so.
However, these laws or contractual clauses don't explain the recent rash of revisions to privacy policies and cookie pop-ups. My explanation is that businesses subject to the GDPR had to revise their notices, and other companies decided to follow suit for competitive reasons because they did not want to appear unconcerned for privacy.