Is it a legal requirement to have a cookie policy?

Yes, a cookie policy is a legal requirement under privacy regulations like the GDPR in the EU and UK. These laws require websites to have disclosure on what personal data is being “processed” (collected, stored or otherwise acted on) and the purposes of said processing. As cookies are categorized as personal data in the GDPR, businesses should disclose their use on their website. They can include their cookie disclosure within their privacy policy or can publish it as a standalone cookie policy. 

In the US,  state-level privacy laws like the CCPA in California require businesses to disclose what data is being collected by cookies and what is done with the data.