Canvas LMS

Canvas LMS

Canvas LMS embeds course content players, assignment interfaces, and learning modules on institutional websites. Scripts track learner progress, engagement events, and assignment completions to support LMS functionality and reporting.

Overview

Canvas LMS is a learning management system developed by Instructure, Inc., widely adopted by universities, K-12 school districts, community colleges, and corporate training programs. Canvas holds a dominant market position in higher education in the US and has significant global adoption. When integrated into institutional websites or portals, Canvas embeds course content players, assignment submission interfaces, quiz engines, and learning module navigators that allow students and learners to interact with course material within the host environment.

What This Script Does

Canvas LMS embeds load JavaScript from the institution's Canvas instance — typically hosted at *.instructure.com (Instructure's cloud) or a custom subdomain (e.g., canvas.university.edu) — to render course content and interactive learning components. The Canvas JavaScript SDK and course player scripts handle content playback, quiz delivery, assignment submission, discussion forum rendering, and grade display.

Cookies Set by Canvas LMS Embeds:

  • canvas_session — encrypted session authentication cookie, session-scoped (or persists for the duration of the login session, typically 24 hours); set under the institution's Canvas domain; maintains the learner's authenticated session with the LMS
  • _legacy_normandy_session — legacy session cookie maintained for backward compatibility with older Canvas features, session-scoped
  • csrf_token — CSRF protection token, session-scoped; required by Canvas's Rails backend for all POST/PATCH/DELETE requests
  • remember_user_token — persistent remember-me cookie, 30 days; set if the learner selects "Remember me" at login; enables re-authentication without password entry
  • timezone — stores the user's detected timezone as a preference cookie, persistent; used to display assignment due dates and calendar events in the correct local time

Engagement Tracking and Analytics:

  • Canvas records detailed engagement events in its Analytics infrastructure: time spent on each content item (page, video, assignment), quiz attempt data (answers submitted, time per question, score), assignment submission timestamps, discussion post frequency, and login patterns
  • These events populate Canvas Analytics and New Analytics dashboards visible to instructors and administrators
  • Event data is transmitted to Instructure's analytics pipeline (analytics.instructure.com) for processing
  • Canvas Data — Instructure's bulk data export service — can deliver raw event logs to institutional data warehouses for institutional research

LTI Tool Integrations:

  • Canvas embeds often include Learning Tools Interoperability (LTI) launches that load third-party tools (e.g., Turnitin, Kaltura, Respondus) within iframes; each LTI tool may set its own cookies and perform its own data collection

Instructure, Inc. is a US company. Canvas cloud is hosted in AWS (US-EAST, EU-WEST). GDPR-compliant DPA available. For EU institutions, Instructure offers EU data residency with processing confined to AWS EU regions. Instructure participates in the EU-US Data Privacy Framework.

Consent & Compliance

Canvas LMS embeds are categorized as functional technology. Under GDPR and the ePrivacy Directive, cookies that maintain an authenticated learning session and track course progress are strictly necessary for the educational service the learner has enrolled in. Data processing is based on the contractual relationship between the institution and the student under GDPR Article 6(1)(b), or on the institution's legitimate interest in delivering educational services under Article 6(1)(f). Under CCPA/CPRA, student learning data processed by Canvas in an educational institution context is subject to FERPA (20 U.S.C. §1232g), and FERPA-protected educational records are explicitly exempt from CCPA under Cal. Civ. Code §1798.145(e)(3).

Should You Block This Without Consent?

No. Canvas LMS embeds are functional educational tools whose cookies and engagement tracking serve the core learning experience — authenticated session management, progress tracking, and grade recording. Blocking would prevent students from accessing course content and completing assignments.

Visit website

Consent Categories

Also Known As

Canvas LMSInstructure CanvasCanvas learning managementCanvas education

Industries

Science and EducationEducationUniversities and CollegesComputers Electronics and Technology

Tracked Domains (1)

instructure.comFunctional

Frequently Asked Questions

Does Canvas LMS require user consent to load?

No. Canvas LMS embeds are strictly necessary for the educational service learners have enrolled in. Session authentication, CSRF protection, and progress tracking cookies operate under the contractual basis in GDPR Article 6(1)(b) and the ePrivacy strictly necessary exemption.

What cookies does Canvas LMS set?

Canvas sets canvas_session (24-hour encrypted auth session), csrf_token (CSRF protection), remember_user_token (30-day persistent login), and timezone (local time display preference). Engagement events — time on page, quiz attempts, submission timestamps — flow to Instructure's analytics pipeline.

How does ConsentStack classify Canvas LMS?

ConsentStack categorizes Canvas LMS as functional and permits it to load without consent. Student learning data processed by Canvas in educational contexts is also protected under FERPA, which exempts such records from CCPA. ConsentStack respects this classification and does not gate Canvas embeds.

Related Vendors

Panopto
Panopto
Panopto embeds video lecture players and course recording content on educational portals and enterprise intranets. Scripts handle video playback, track viewing progress and completion for learning analytics, and enforce access permissions tied to institutional authentication.
Udemy
Udemy
Udemy embeds course preview widgets and enrollment flows on partner and affiliate websites. Scripts track engagement with course content and may set cookies to attribute referrals and enrollments back to the originating partner site.
Wise
Wise
Wise embeds international money transfer widgets and multi-currency payment flows on partner websites. Scripts load during send-money transactions and may collect payment intent data, exchange rate selections, and user session information.
Ticketmaster
Ticketmaster
Ticketmaster is a major live event ticketing platform that embeds purchase flows and event listings on venue and artist websites. Scripts load Ticketmaster widget infrastructure and set session cookies to maintain cart state during the ticket purchase flow. No independent user tracking beyond the transaction.
Zoho SalesIQ
Zoho SalesIQ
Zoho SalesIQ is a live chat and visitor intelligence platform. Scripts embed chat widgets on websites, track visitor navigation paths, and score leads based on behavioral signals such as pages visited and time on site. Cookies identify returning visitors and link chat sessions to visitor profiles.
Bazaarvoice
Bazaarvoice
Bazaarvoice is an enterprise ratings, reviews, and UGC syndication network used by major global brands. Scripts embed review display widgets, Q&A sections, and photo galleries on product pages. Reviews are syndicated across Bazaarvoice's retailer network, and collected UGC is used in social advertising and shopper insights programs.

Manage consent for Canvas LMS

ConsentStack automatically detects and manages Canvas LMS trackers so your site stays compliant with global privacy regulations.