Hmm. Something tells me that this could spawn a lot of phishing attempts. I would think a better idea would be to send the email notification and then have the recipients check their privacy center on the official portal. The notifications are one thing, but including an attachment rather than a link back to the privacy center for download? Not sure why they would do it this way.
According to Bleeping Computer. “Starting last week, Google+ users who were affected by this bug have started receiving notifications from Google that state what fields were exposed and the apps that had access to them. The exposed fields and the associated apps are listed in an attached app_details.csv attachment.”
Google Emails Users About Private Data Exposed by Google+ API Bug