Describe privacy inplications of changing payment method (#849)

marcoscaceres · web-flow · commit 76135b9666ae · 2019-03-13T15:07:12.000+11:00
diff --git a/index.html b/index.html
@@ -222,10 +222,21 @@ <h2>
           <dfn>Steps for when a user changes payment method</dfn> (optional)
         </dt>
         <dd>
-          Steps that describe how to handle the user changing payment method or
-          monetary instrument (e.g., from a debit card to a credit card) that
-          results in a <a data-cite="WEBIDL#idl-dictionary">dictionary</a> or
-          <a data-cite="WEBIDL#idl-object">object</a> or null.
+          <p>
+            Steps that describe how to handle the user changing payment method
+            or monetary instrument (e.g., from a debit card to a credit card)
+            that results in a <a data-cite=
+            "WEBIDL#idl-dictionary">dictionary</a> or <a data-cite=
+            "WEBIDL#idl-object">object</a> or null.
+          </p>
+          <p>
+            A <a>payment handler</a> that defines <a>steps for when a user
+            changes payment method</a> MUST redact the <a>address line</a>, 
+            <a>organization</a>, <a>phone number</a>, and <a>recipient</a>
+            from any <a>PaymentAddress</a> included in the 
+            <a>PaymentMethodChangeEvent</a>'s <a data-link-for=
+            "PaymentMethodChangeEvent">methodDetails</a> attribute.
+          </p>
         </dd>
       </dl>
       <p>
@@ -4411,7 +4422,16 @@ <h2>
           "WEBIDL#idl-object">object</a> or null, and a <var>methodName</var>,
           which is a DOMString that represents the <a>payment method
           identifier</a> of the <a>payment handler</a> the user is interacting
-          with:
+          with.
+        </p>
+        <p class="note" title=
+        "Privacy of information shared by paymentmethodchange event">
+          When the user selects or changes a payment method (e.g., a credit
+          card), the <a>PaymentMethodChangeEvent</a> includes redacted billing
+          address information for the purpose of performing tax calculations.
+          Redacted attributes include, but are not limited to, <a>address
+          line</a>, <a>dependent locality</a>, <a>organization</a>,
+          <a>phone number</a>, and <a>recipient</a>.
         </p>
         <ol class="algorithm">
           <li>Let <var>request</var> be the <a>PaymentRequest</a> object that
@@ -5308,6 +5328,13 @@ <h2>
           member with a third-party <a>payment handler</a> without user
           consent.
         </p>
+        <p>
+          Where sharing of privacy-sensitive information might not be obvious
+          to users (e.g., when <a data-lt=
+          "payment method changed algorithm">changing payment methods</a>), it
+          is RECOMMENDED that user agents inform the user of exactly what
+          information is being shared with a merchant.
+        </p>
       </section>
       <section class="informative">
         <h2 id="canmakepayment-protections">
