diff --git a/index.html b/index.html
index f7f88529..70101844 100644
--- a/index.html
+++ b/index.html
@@ -623,6 +623,24 @@ <h2>
           <li>Let <var>request</var> be the <a>PaymentRequest</a> object on
           which the method is called.
           </li>
+          <li>
+            <p>
+              Optionally, if the <a>user agent</a> wishes to disallow the call
+              to <a>show()</a> to protect the user, then return a promise
+              rejected with a "<a>SecurityError</a>" <a>DOMException</a>. For
+              example, the <a>user agent</a> may require the call to be
+              <a>triggered by user activation</a>, or may limit the rate at
+              which a page can call <a>show()</a>, as described in the the
+              <a href="#privacy">privacy considerations</a> section.
+            </p>
+            <p>
+              Implementations are expected to experiment in this area.
+              Developers using the payment request API should investigate and
+              anticipate such experiments and understand under what
+              circumstances a "<a>SecurityError</a>" <a>DOMException</a> might
+              occur.
+            </p>
+          </li>
           <li>If <var>request</var>.<a>[[\state]]</a> is not "<a>created</a>"
           then return a promise rejected with an "<a>InvalidStateError</a>" <a>
             DOMException</a>.
@@ -798,8 +816,7 @@ <h2>
             DOMException</a>.
           </li>
           <li>Optionally, at the <a>user agent</a>'s discretion, return a
-          promise rejected with a "<a>NotAllowedError</a>"
-          <a>DOMException</a>.
+          promise rejected with a "<a>NotAllowedError</a>" <a>DOMException</a>.
             <p class="note" data-link-for="PaymentRequest">
               This allows user agents to apply heuristics to detect and prevent
               abuse of the <a>canMakePayment()</a> method for fingerprinting
@@ -2677,7 +2694,7 @@ <h2>
         </p>
       </section>
     </section>
-    <section class='informative'>
+    <section class='informative' id="privacy">
       <h2>
         Privacy Considerations
       </h2>
@@ -2754,6 +2771,10 @@ <h2>
             <li>
               <dfn data-cite="!HTML#allowed-to-use">allowed to use</dfn>
             </li>
+            <li>
+              <dfn data-cite="!HTML#triggered-by-user-activation">triggered by
+              user activation</dfn>
+            </li>
             <li>
               <dfn data-cite="!HTML#in-parallel">in parallel</dfn>
             </li>
