Facebook joined a chorus of high-profile tech companies earlier this month when it confirmed that it uses contractors to manually listen to users' audio messages to improve Messenger's AI. After a Bloomberg report revealed the practice, Facebook announced the process was on hiatus. "Much like Apple and Google, we paused human review of audio more than a week ago," a Facebook spokesperson told CNBC.

Some privacy advocates noted Facebook Messenger's policy allows transcription of all messages, even without the consent of all parties involved in the audio recording. The practice highlights how such apps and smart devices only need to obtain consent from one party to record multiple parties, lawyers said.

The Stored Communications Act allows a company to disclose data if the originator of the data opts in, noted Duquesne University School of Law professor Agnieszka McPeak.

Additionally, the law also provides a data sharing exemption if the content is necessary to deliver the service, said Otterbourg privacy and cybersecurity practice chairman Philip Berg. "One would argue they are trying to refine their artificial intelligence or voice recognition services, and it's necessary to transcribe by a human to get that service right," he said.

However, although a smart device or app records a command directed to it, it can also record background conversations. Lawyers said state consent laws can apply to this situation, but if a company isn't sharing and transcribing conversations in real-time, it still clears a significant all-party consent hurdle.

Matthiesen, Wickert & Lehrer partner Gary Wickert noted that, if a smart speaker or app picks up a recording of a third party, it is not an illegal interception.

What's more, "If they are 'transcribing' an oral discussion, seems to me the oral conversation would already have to have been 'recorded,'" Wickert said. He added, "If the conversation is already 'recorded,' then the sole question remaining is whether consent has been given for Facebook to record it."

When a company does obtain consent to collect and share data, lawyers noted the Federal Trade Commission is likely monitoring whether that company's activities match their privacy and collection policies.

"I think frankly, there is nothing going to prohibit them from that [manually transcribing recordings]," said Mindi Giftos, a Husch Blackwell partner and leader of the IoT/blockchain and data privacy, security and breach response teams. "The key is the companies will have to explain to customers about what they are doing."

Facebook knows firsthand the ire of the FTC after its record-setting $5 billion fine over data misuse last month, and Giftos said the social media juggernaut is being watched closely.

"I think, in light of the FTC fine and this being the second go-around with the FTC, they need to be extra careful," Giftos said. "I think Facebook needs to be very transparent about what they are doing and more importantly being accurate about what they are doing."

Likewise, some U.S. senators have expressed their interest in finding out how large tech companies are storing and sharing audio recordings and their transcripts. Sen. Chris Coons, D-Delaware, for instance, received a letter in June from Amazon.com Inc. after he requested information regarding Echo's data deletion policy.

In its response, Amazon revealed it retains records of transactions made through the Echo and doesn't delete "underlying data" needed when setting reoccurring alarms or reminders.

At the time, Dickinson Wright member Sara Jodka said that Amazon's failure to anonymize user identity in transcripts could lead to "potential liability" when the smart device records background conversations without prior consent in full-party consent states. Plus, if the device collects transcripts or information regarding protected health information (PHI), they could face a host of regulations.

"That opens you [up] to categories of information and state law protections about how that information needs to be captured and stored," she said.