In an effort to stem and track COVID-19 infections, various governments have turned to private entities to help create COVID-19 tracking phone solutions. For tech and telecommunication companies, the vendor opportunity could be a win-win to help battle the novel virus and bring in revenue as the economy falters.

"There's a lot of motive if you are underutilized because it's the right thing to do or to make your payroll," noted Morrison & Foerster partner Miriam Wugmeister, whose practice includes privacy, data security, global risk and crisis management. "There's a lot of motivation to do something that's innovative," she added.

To be sure, Apple and Google have already publicly announced a partnership to create technology that allows users to receive Bluetooth-based notifications if they have come into contact with someone that is COVID-19 positive. 

However, before other companies join similar COVID-19 phone-tracking endeavors, Wugmeister and other lawyers stressed privacy by design is crucial to recalibrate what type, how much and how long data is collected.

The first step to privacy by design is having consent for the collection and usage of someone's data, lawyers noted. To avoid Federal Trade Commission Act violations, how personal data is used should match the company's public-facing privacy policy, said Cozen O'Connor privacy and data security member Brian Kint.

Kint noted anonymized and aggregate data "generally does not meet the definition of personal information under the law," and wouldn't fall under the California Consumer Privacy Act, any state's data breach notification law or the General Data Protection Regulation.

Still, for tools such as the Google-Apple project, language in the privacy and usage notice should also be transparent about the aggregate data's collection and usage, said Fox Rothschild partner and chief privacy and HIPAA compliance officer Elizabeth Litten.

"If I were drafting that type of language for that type of tool, I would make sure people realize even though users won't be told who they came in contact with, who was infected or when it occurred … it's not anticipated but feasible someone could infer their identity based on who they saw and who they came into contact with," she explained.

Companies should also push back against government agencies insisting on collecting unneeded data, noted Reed Smith partner and global regulatory enforcement group member Dora Wang.

"Some government agencies will want to broadly collect data, but it's up to the company to have that dialogue and question it. Because right now we have that social will, but when [the outbreak] comes down in a couple months that app will be collecting massive amounts of data from the public," she said.

When the public and health demands subside, the retention, storage and use of the data will need to be revisited and potentially modified, she added.

To be sure, controls to limit the flow of data and improve security also shouldn't be an afterthought. Leaked data from a solution that was intended for public good can become a PR nightmare, Litten noted.

"Even if it's not technically protected under a law as you are using it, it could be a public relations problem if information is leaked out and people realize you as the vendor or partner doing the tracking and researching didn't handle the data appropriately," she explained.

To mitigate those risks, GCs and their company should have the wherewithal to explore expansive and creative testing that addresses all privacy and security pitfalls, Litten said.

She added, "You want to be careful that you've tested it [with] privacy by design and making sure there's no unintended consequences."