Describe privacy inplications of changing payment method (#849)

marcoscaceres · web-flow · commit 76135b9666ae · 2019-03-13T15:07:12.000+11:00
diff --git a/index.html b/index.html
@@ -222,10 +222,21 @@ <h2>
           <dfn>Steps for when a user changes payment method</dfn> (optional)
         </dt>
         <dd>
-          Steps that describe how to handle the user changing payment method or
-          monetary instrument (e.g., from a debit card to a credit card) that
-          results in a <a data-cite="WEBIDL#idl-dictionary">dictionary</a> or
-          <a data-cite="WEBIDL#idl-object">object</a> or null.
+          <p>
+            Steps that describe how to handle the user changing payment method
+            or monetary instrument (e.g., from a debit card to a credit card)
+            that results in a <a data-cite=
+            "WEBIDL#idl-dictionary">dictionary</a> or <a data-cite=
+            "WEBIDL#idl-object">object</a> or null.
+          </p>
+          <p>
+            A <a>payment handler</a> that defines <a>steps for when a user
+            changes payment method</a> MUST redact the <a>address line</a>, 
+            <a>organization</a>, <a>phone number</a>, and <a>recipient</a>
+            from any <a>PaymentAddress</a> included in the 
+            <a>PaymentMethodChangeEvent</a>'s <a data-link-for=
+            "PaymentMethodChangeEvent">methodDetails</a> attribute.
+          </p>
         </dd>
       </dl>
       <p>
@@ -4411,7 +4422,16 @@ <h2>
           "WEBIDL#idl-object">object</a> or null, and a <var>methodName</var>,
           which is a DOMString that represents the <a>payment method
           identifier</a> of the <a>payment handler</a> the user is interacting
-          with:
+          with.
+        </p>
+        <p class="note" title=
+        "Privacy of information shared by paymentmethodchange event">
+          When the user selects or changes a payment method (e.g., a credit
+          card), the <a>PaymentMethodChangeEvent</a> includes redacted billing
+          address information for the purpose of performing tax calculations.
+          Redacted attributes include, but are not limited to, <a>address
+          line</a>, <a>dependent locality</a>, <a>organization</a>,
+          <a>phone number</a>, and <a>recipient</a>.
         </p>
         <ol class="algorithm">
           <li>Let <var>request</var> be the <a>PaymentRequest</a> object that
@@ -5308,6 +5328,13 @@ <h2>
           member with a third-party <a>payment handler</a> without user
           consent.
         </p>
+        <p>
+          Where sharing of privacy-sensitive information might not be obvious
+          to users (e.g., when <a data-lt=
+          "payment method changed algorithm">changing payment methods</a>), it
+          is RECOMMENDED that user agents inform the user of exactly what
+          information is being shared with a merchant.
+        </p>
       </section>
       <section class="informative">
         <h2 id="canmakepayment-protections">

-Original file line number
+Diff line change
           <dfn>Steps for when a user changes payment methoddfn> (optional)
         dt>
         <dd>
 -          Steps that describe how to handle the user changing payment method or
 -          monetary instrument (e.g., from a debit card to a credit card) that
 -          results in a <a data-cite="WEBIDL#idl-dictionary">dictionarya> or
 -          <a data-cite="WEBIDL#idl-object">objecta> or null.
 +          <p>
 +            Steps that describe how to handle the user changing payment method
 +            or monetary instrument (e.g., from a debit card to a credit card)
 +            that results in a <a data-cite=
 +            "WEBIDL#idl-dictionary">dictionarya> or <a data-cite=
 +            "WEBIDL#idl-object">objecta> or null.
 +          p>
 +          <p>
 +            A <a>payment handlera> that defines <a>steps for when a user
 +            changes payment methoda> MUST redact the <a>address linea>,
 +            <a>organizationa>, <a>phone numbera>, and <a>recipienta>
 +            from any <a>PaymentAddressa> included in the
 +            <a>PaymentMethodChangeEventa>'s <a data-link-for=
 +            "PaymentMethodChangeEvent">methodDetailsa> attribute.
 +          p>
         dd>
       dl>
       <p>
           "WEBIDL#idl-object">objecta> or null, and a <var>methodNamevar>,
           which is a DOMString that represents the <a>payment method
           identifiera> of the <a>payment handlera> the user is interacting
 -          with:
 +          with.
 +        p>
 +        <p class="note" title=
 +        "Privacy of information shared by paymentmethodchange event">
 +          When the user selects or changes a payment method (e.g., a credit
 +          card), the <a>PaymentMethodChangeEventa> includes redacted billing
 +          address information for the purpose of performing tax calculations.
 +          Redacted attributes include, but are not limited to, <a>address
 +          linea>, <a>dependent localitya>, <a>organizationa>,
 +          <a>phone numbera>, and <a>recipienta>.
         p>
         <ol class="algorithm">
           <li>Let <var>requestvar> be the <a>PaymentRequesta> object that
           member with a third-party <a>payment handlera> without user
           consent.
         p>
 +        <p>
 +          Where sharing of privacy-sensitive information might not be obvious
 +          to users (e.g., when <a data-lt=
 +          "payment method changed algorithm">changing payment methodsa>), it
 +          is RECOMMENDED that user agents inform the user of exactly what
 +          information is being shared with a merchant.
 +        p>
       section>
       <section class="informative">
         <h2 id="canmakepayment-protections">