Whatever regulation that required these kinds of policy-change notification emails greatly failed us. A notification is not enough. If a company changes their policies, individual user data should be made completely inaccessible to that company until that user explicitly agrees to the new policy.

Yes, this should be the default. However, companies would heavily exploit a rule like this, like they abused the cookie consent UIs on the web.