Changes stemming from privacy review

[ianbjacobs]

cc @plehegar, @swickr, @samuelweiler

• Corrected bug by removing MUST language from the informative introduction.
• Corrected bug by aligning the definition of requestBillingAddress (under 9. PaymentOptions dictionary) to look like the other definitions (and include "SHOULD").
• Enhanced 19.6 Exposing user information by explaining more both the reason
  for PaymentMethodChangeEvent and the privacy implications. Enhanced the
  explanation by allowing for other ways to minimize data sharing, including
  an emerging idea for providing an "exclude" array (or similar) as payee
  request data that could be used by the payment method definition to
  limit which response elements are returned.

Relates to
w3c/payment-method-basic-card#72

The following tasks have been completed:

• Confirmed there are no ReSpec errors/warnings.
• Modified Web platform tests (link)
• Modified MDN Docs (link)
• Has undergone security/privacy review (link)

Implementation commitment:

• Safari (link to issue)
• Chrome (link to issue)
• Firefox (link to issue)
• Edge (public signal)

Optional, impact on Payment Handler spec?

• Not so much Payment Handler API, but payment method good practice.
  https://github.com/w3c/payment-request-info/wiki/PaymentMethodPractice

If we merge this pull request, I would like to update that documentation to mention privacy protection around the event.

---

Preview | Diff

[marcoscaceres]

I'm ok with this change. It's handled at the handler level.

[mountainhippo]

@ianbjacobs - these changes look good to me. I think this PR will help address some of the questions raised by PLH and Ralph.

[danyao]

Looks great!

[samuelweiler]

My first impression is that these changes to do not resolve the concern I raised in #842. I am happy to discuss this further after the IETF meeting.

[marcoscaceres]

Got ok from W3C Director to merge this.