Canvas LMS

Canvas LMS

Canvas LMS embeds course content players, assignment interfaces, and learning modules on institutional websites. Scripts track learner progress, engagement events, and assignment completions to support LMS functionality and reporting.

Back to Vendor Library

Overview

Canvas LMS is a learning management system developed by Instructure, Inc., widely adopted by universities, K-12 school districts, community colleges, and corporate training programs. Canvas holds a dominant market position in higher education in the US and has significant global adoption. When integrated into institutional websites or portals, Canvas embeds course content players, assignment submission interfaces, quiz engines, and learning module navigators that allow students and learners to interact with course material within the host environment.

What This Script Does

Canvas LMS embeds load JavaScript from the institution's Canvas instance — typically hosted at *.instructure.com (Instructure's cloud) or a custom subdomain (e.g., canvas.university.edu) — to render course content and interactive learning components. The Canvas JavaScript SDK and course player scripts handle content playback, quiz delivery, assignment submission, discussion forum rendering, and grade display.

Cookies Set by Canvas LMS Embeds:

  • canvas_session — encrypted session authentication cookie, session-scoped (or persists for the duration of the login session, typically 24 hours); set under the institution's Canvas domain; maintains the learner's authenticated session with the LMS
  • _legacy_normandy_session — legacy session cookie maintained for backward compatibility with older Canvas features, session-scoped
  • csrf_token — CSRF protection token, session-scoped; required by Canvas's Rails backend for all POST/PATCH/DELETE requests
  • remember_user_token — persistent remember-me cookie, 30 days; set if the learner selects "Remember me" at login; enables re-authentication without password entry
  • timezone — stores the user's detected timezone as a preference cookie, persistent; used to display assignment due dates and calendar events in the correct local time

Engagement Tracking and Analytics:

  • Canvas records detailed engagement events in its Analytics infrastructure: time spent on each content item (page, video, assignment), quiz attempt data (answers submitted, time per question, score), assignment submission timestamps, discussion post frequency, and login patterns
  • These events populate Canvas Analytics and New Analytics dashboards visible to instructors and administrators
  • Event data is transmitted to Instructure's analytics pipeline (analytics.instructure.com) for processing
  • Canvas Data — Instructure's bulk data export service — can deliver raw event logs to institutional data warehouses for institutional research

LTI Tool Integrations:

  • Canvas embeds often include Learning Tools Interoperability (LTI) launches that load third-party tools (e.g., Turnitin, Kaltura, Respondus) within iframes; each LTI tool may set its own cookies and perform its own data collection

Instructure, Inc. is a US company. Canvas cloud is hosted in AWS (US-EAST, EU-WEST). GDPR-compliant DPA available. For EU institutions, Instructure offers EU data residency with processing confined to AWS EU regions. Instructure participates in the EU-US Data Privacy Framework.

Consent & Compliance

Canvas LMS embeds are categorized as functional technology. Under GDPR and the ePrivacy Directive, cookies that maintain an authenticated learning session and track course progress are strictly necessary for the educational service the learner has enrolled in. Data processing is based on the contractual relationship between the institution and the student under GDPR Article 6(1)(b), or on the institution's legitimate interest in delivering educational services under Article 6(1)(f). Under CCPA/CPRA, student learning data processed by Canvas in an educational institution context is subject to FERPA (20 U.S.C. §1232g), and FERPA-protected educational records are explicitly exempt from CCPA under Cal. Civ. Code §1798.145(e)(3).

Should You Block This Without Consent?

No. Canvas LMS embeds are functional educational tools whose cookies and engagement tracking serve the core learning experience — authenticated session management, progress tracking, and grade recording. Blocking would prevent students from accessing course content and completing assignments.

Visit website

Consent Categories

Functional

Also Known As

Canvas LMSInstructure CanvasCanvas learning managementCanvas education

Industries

Science and EducationEducationUniversities and CollegesComputers Electronics and Technology

Tracked Domains (1)

instructure.comFunctional

Frequently Asked Questions

Does Canvas LMS require user consent to load?

No. Canvas LMS embeds are strictly necessary for the educational service learners have enrolled in. Session authentication, CSRF protection, and progress tracking cookies operate under the contractual basis in GDPR Article 6(1)(b) and the ePrivacy strictly necessary exemption.

What cookies does Canvas LMS set?

Canvas sets canvas_session (24-hour encrypted auth session), csrf_token (CSRF protection), remember_user_token (30-day persistent login), and timezone (local time display preference). Engagement events — time on page, quiz attempts, submission timestamps — flow to Instructure's analytics pipeline.

How does ConsentStack classify Canvas LMS?

ConsentStack categorizes Canvas LMS as functional and permits it to load without consent. Student learning data processed by Canvas in educational contexts is also protected under FERPA, which exempts such records from CCPA. ConsentStack respects this classification and does not gate Canvas embeds.

Related Vendors

Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Microsoft Teams
Microsoft Teams
Microsoft Teams is a workplace communication and collaboration platform that can be embedded on websites for chat, meetings, and document sharing. Embedded widgets load from Microsoft's servers to enable real-time messaging, video calls, and file collaboration. Sets authentication and session cookies to verify participant identity and maintain connection state.
Apple Maps JS
Apple Maps JS
Apple Maps JS is Apple's JavaScript mapping framework for embedding interactive maps on websites. Scripts load map tiles, location pins, and routing data from Apple's MapKit servers to render navigable maps within web pages. Requires a MapKit JS token for authentication but does not set tracking cookies or collect behavioral analytics data.
Apple Business Chat
Apple Business Chat
Apple Business Chat enables direct customer messaging between websites and Apple's Messages app. Scripts load chat buttons and conversation interfaces that connect visitors to business support agents through iMessage. Sets minimal session cookies to maintain conversation context but does not track browsing behavior or collect analytics data.

Manage consent for Canvas LMS

ConsentStack automatically detects and manages Canvas LMS trackers so your site stays compliant with global privacy regulations.

Get started free