diff --git a/index.html b/index.html
index 461d89e..47533e8 100644
--- a/index.html
+++ b/index.html
@@ -2235,7 +2235,10 @@ <h2>
           <li>The <a>CanMakePaymentEvent</a> event should not be fired in
           private browsing mode. The user agent should behave as if
             <a data-lt="CanMakePaymentEvent.respondWith()">respondWith()</a>
-            was called with <code>true</code>.
+            was called with <code>false</code>. We acknowledge a consequent
+            risk: if an entity controls both the origin of the Payment Request
+            API call and the origin of the payment handler, that entity may be
+            able to deduce that the user may be in private browsing mode.
           </li>
         </ul>
       </section>