diff --git a/index.src.html b/index.src.html
index 26c9481..a7863da 100644
--- a/index.src.html
+++ b/index.src.html
@@ -1510,6 +1510,11 @@ <h3 id="capability-urls">Capability URLs</h3>
   <a>report</a>'s originator. It is still possible, however, for a feature
   to unintentionally leak such data via a report's [=report/body=]. Implementers
   SHOULD ensure that URLs contained in a report's body are similarly stripped.
+
+  Even with this information stripped, there might still be sensitive
+  information encoded in the remainder of the URL. Administrators of sites that
+  use URLs in this way SHOULD consider operating their own Reporting API
+  collectors, to prevent the reporting of such URLs to third parties.
 </section>
 
 <section>