On May 25, 2018, the General Data Protection Regulation (GDPR) was put into effect to protect the data of the people of the EU. In order to be GDPR compliant, one must obtain the user’s consent before using cookies, but this is not possible for third-party cookies. This means that effectively, GDPR banned third-party cookies.
What is a third-party cookie?
A cookie is simply a piece of data that a website stores in a browser to be used again later. The browser is effectively the cookie jar, and the data is the cookie. However, this data is often used for user identification, so if you think of the internet as several libraries then each cookie in the cookie jar more closely resembles a library card in your wallet.
When the website which has its URL at the top of the user’s browser is storing a cookie, it is known as a first-party cookie. In this case, the cookie is being stored by a website that the user intended to go to, and a website that can also easily gather consent data from this user. However, every time a webpage loads, there are often many more web requests being made beyond just loading the page for the URL that’s in the address bar.
In the case of websites that run ads, an additional web request has to be made to the website that’s running the ad in order for it to be displayed. While the user had no intentions of going to that web address, the advertisement’s website can still try to store a cookie in the user’s browser. In this case, it is a third-party cookie. The user and the website they intended to reach are first-party participants, but the advertiser is a third party, which means that the cookies it stores are third-party cookies.
What do third-party cookies have to do with LMS Apps?
While there are privacy concerns around advertisers storing data in users’ browsers, which led GDPR to ban third-party cookies, LMS integrations were caught in the crossfire. Learning Management Systems (LMSs) such as Canvas, Blackboard, D2L/Brightspace, Moodle, and Sakai all support a standard called Learning Tools Interoperability (LTI) which enables students and instructors to seamlessly log into other edtech applications from their LMS without having to enter another username and password. Unfortunately, the mechanism for edtech applications getting displayed in LMSs is the same as that of advertisements getting displayed on other websites. These edtech applications or websites, sometimes called tools, are a third party to the user and the LMS, which means that any cookies that they store would be third-party cookies. To make matters worse, the latest version of the LTI standard, LTI 1.3, initially required edtech applications to use third-party cookies as part of its security measures. This means that all edtech applications that are LTI 1.3 compliant would be GDPR non-compliant. However, as of July 21, 2022, 1EdTech published three new specifications to explain what changes LMSs and edtech applications could make to continue to adhere to the security measures of LTI without the use of third-party cookies.
What is Chrome doing?
In order for browsers to be GDPR compliant and continue operating in the EU, they have to block the usage of third-party cookies. In early 2020, Safari became the first browser to fully block third-party cookies by default, and users have been unable to access LTI tools/applications directly within their LMS since then. For years, the other browsers continued to push out the date that they planned to block third-party cookies, to the point where the endeavor started to seem like a wild goose chase. However, towards the end of 2023, Chrome began to firm up the dates it would block third-party cookies and announced that third-party cookies would be blocked by default for 1% of its users starting on January 4, 2024. Chrome further plans to block third-party cookies for all of its users by default in Q3 of 2024. This means that at the time of writing, 1% of Chrome users, or 30 million people, are unable to access LTI tools/applications directly within their LMS by default, and this will be expanded to all Chrome users by Q3 2024.
How concerned should I be, and what should I do?
While third-party cookies are necessary to access LTI tools/applications directly within an LMS, if the application is configured to automatically open in a new tab when clicked on from the LMS, then it becomes a first-party application, and cookies will still be available to it. Most LMSs have a setting that can be adjusted to enable the LTI application to open in a new tab instead of directly within the LMS UI shell. However, it is not possible to open LTI application content selection menus (also known as LTI Deep Linking menus) in a new tab, so this stopgap solution will not work for applications that use this feature.
Another stopgap option is to provide instructions to your customers on how to change the default setting in their browser so they will no longer block third-party cookies. However, this option is not recommended since it would then also allow third-party cookies to be usable by advertisers, potentially violating the privacy of users.
If you are willing and able to have your application opened in a new tab by users accessing it from their LMS, then you should talk with your development team and the authors of your customer-facing documentation to ensure that your application is currently set up to do this, or can easily be adapted for this.
If you have an application that users access from within an LMS such as Canvas, Blackboard, or D2L/Brightspace, and you do not want to or are not able to have this application opened in a new tab, then you will want to implement 1EdTech’s new third-party cookie circumventing specifications before you begin to receive an overwhelming number of customer support calls from people who cannot access your application at all. Implementing 1EdTech’s third-party cookie circumventing specifications can be a fairly daunting development lift, involving changes to both frontend and backend code in every instance that your application stores a cookie, so it would be wise to put this on your roadmap for the current year if it is not already.
If you would like more information about 1EdTech’s third-party cookie circumventing specifications, click here. If you would like assistance with developing a plan for your applications to stop using third-party cookies or if you would like a partner to do this development while your teams focus on your remaining roadmap for the year, please contact us.
- The History of the General Data Protection Regulation
- Cookies, the GDPR, and the ePrivacy Directive
- The next step toward phasing out third-party cookies in Chrome
- The Privacy Sandbox Timeline for the Web
- Saying goodbye to third-party cookies in 2024